Portainer Community Edition JWT Token Leakage Vulnerability

A vulnerability exists in Portainer Community Edition versions 2.33.0 prior to 2.33.8, 2.39.0 prior to 2.39.2, and 2.40.0 prior to 2.41.0. The issue arises because the authentication middleware accepts JWT bearer tokens via the '?token=<JWT>' URL query parameter on authenticated API endpoints. This acceptance of query-parameter tokens leads to leakage, as URLs are logged in reverse-proxy access logs, browser history, and HTTP Referer headers. A leaked token, which grants full user privileges until expiration (default 8 hours), can be exploited by anyone with access to the logs or by an external site visited afterward. The vulnerability affects users with exec or attach rights on containers, not just administrators.

Impact

Exploitation of this vulnerability leads to unauthorized access using the leaked JWT, allowing actions as the authenticated user until the token expires. If the leaked token belongs to an administrator, it grants full API access, including user management and container execution rights, which can be used to compromise the host system.

Remediation

Users can upgrade to Portainer versions 2.33.8, 2.39.2, or 2.41.0. For those unable to upgrade immediately, it is recommended to strip the '?token=' parameter at the reverse proxy, audit existing logs for token occurrences, and avoid sharing Portainer URLs containing tokens.