CVE-2026-44849: Portainer has an endpoint security bypass via Swarm service create/update

Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts.

The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker Swarm endpoint via Portainer RBAC. Admins and users without Swarm endpoint access are not affected.

These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API:

• POST /services/create — 1 of 7 checks applied. CapabilityAdd, CapabilityDrop, Sysctls, and Privileges (Seccomp / AppArmor) are not parsed from the request body and are forwarded to the Docker daemon without validation.
• POST /services/{id}/update — 0 of 7 checks applied. The route dispatches to the generic restrictedResourceOperation, which validates RBAC ownership but does not inspect the request body or call fetchEndpointSecuritySettings().

The EndpointSecuritySettings checks apply when the administrator has configured any of AllowContainerCapabilitiesForRegularUsers, AllowSysctlSettingForRegularUsers, AllowSecurityOptForRegularUsers, or AllowBindMountsForRegularUsers to restrict standard users.

A regular user with access to a Docker Swarm endpoint can:

• Create a service with CapabilityAdd: ["SYS_ADMIN", "NET_ADMIN", "SYS_PTRACE", …] or Privileges.Seccomp.Mode: "unconfined".
• Create a benign service that passes ownership checks, then update it to add CapabilityAdd: ["ALL"] plus a bind mount of /, scale to one replica, and access the host filesystem from the running container (e.g. via chroot /host).

In addition, the partial Mounts[] struct used by the bind-mount check inspects only the top-level Type field. A mount with Type: "volume" and VolumeOptions.DriverConfig.Options: {type: "none", o: "bind", device: "<host path>"} is forwarded to the Docker daemon unchanged; the local volume driver then materialises it as a bind-equivalent mount, bypassing AllowBindMountsForRegularUsers. The same field path is accepted by the standalone POST /volumes/create endpoint, which never had any AllowBindMountsForRegularUsers check on any branch.

This undermines the administrator’s configured security policy on Swarm-enabled endpoints.