Portainer Community Edition Missing Authorization Vulnerability in Custom Template File Endpoint Allowing Unauthorized File Access

A missing authorization vulnerability has been identified in Portainer Community Edition versions 2.33.0 prior to 2.33.8 and 2.39.0 prior to 2.39.1. The vulnerability exists in the Custom Template file endpoint (GET /api/custom_templates/{id}/file), where any authenticated user can read the file content of custom templates by sequentially enumerating integer IDs. This bypasses Resource Control access restrictions, exposing sensitive information such as connection strings, API tokens, or registry credentials that should not be accessible to standard users.

Impact

Exploitation of this vulnerability allows any authenticated user to access the file content of all custom templates on the Portainer instance, potentially exposing sensitive environment-specific information such as database connection strings, API tokens, or registry credentials.

Remediation

Users can upgrade to Portainer Community Edition 2.33.8 or 2.39.1 to address this vulnerability. For those on the 2.33.x LTS branch, the fix is included in version 2.33.8. Administrators who cannot immediately upgrade should avoid storing sensitive information in custom templates and review existing templates for embedded secrets, rotating any exposed credentials.