# [CRIT] [GHSA / CRITICAL] CVE-2026-44848: Portainer missing authorization on Docker plugin endpoints, which allows host RCE **Source:** GitHub Security Advisories **Published:** 2026-05-14 **Article:** https://github.com/advisories/GHSA-rrmm-9v76-h3p4 ## Threat Profile Portainer missing authorization on Docker plugin endpoints, which allows host RCE ## Summary Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks. The Docker plugin management endpoints (`/plugins/*`) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations —… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-44848` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1068** — Exploitation for Privilege Escalation - **T1611** — Escape to Host - **T1610** — Deploy Container ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Portainer plugin management API access (CVE-2026-44848) `UC_298_1` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method=POST (Web.url="*api/endpoints/*/docker/plugins/pull*" OR Web.url="*api/endpoints/*/docker/plugins/*/enable*") by Web.src Web.dest Web.url Web.user Web.http_user_agent Web.status | `drop_dm_object_name(Web)` | where status<400 | sort 0 -lastTime ``` ### Docker plugin runtime spawned from /var/lib/docker/plugins/ on host (CVE-2026-44848) `UC_298_2` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path="/var/lib/docker/plugins/*" (Processes.parent_process_name=dockerd OR Processes.parent_process_name=containerd OR Processes.parent_process_name=containerd-shim OR Processes.parent_process_name=containerd-shim-runc-v2 OR Processes.parent_process_name=runc) by Processes.dest Processes.user Processes.process_name Processes.process_path Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | sort 0 -lastTime ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FolderPath startswith "/var/lib/docker/plugins/" | where InitiatingProcessFileName in~ ("dockerd","containerd","containerd-shim","containerd-shim-runc-v2","runc") | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath | order by Timestamp desc ``` ### Docker daemon plugin install/enable event from non-admin context (CVE-2026-44848) `UC_298_3` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl index=* sourcetype IN ("linux:syslog","linux:journald") process_name=dockerd ("plugins/pull" OR "plugin enabled" OR "plugin pull" OR "plugin install" OR "POST /plugins/") | rex field=_raw "plugin(?:s)?[/=](?pull|enable|install)" | rex field=_raw "plugin[ =:](?[A-Za-z0-9_/.:@\-]+)" | stats count min(_time) as firstTime max(_time) as lastTime values(plugin_name) as plugin_name by host plugin_op | sort 0 -lastTime ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-44848` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.