CVE-2026-44885: Portainer has a path traversal in backup archive extraction that allows arbitrary file write

May 14, 2026

Portainer’s backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal — a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem.

References

github.com/advisories/GHSA-m8fg-67j7-cx4v
github.com/portainer/portainer/commit/e02ae6b2fb69668d1cd7d07cb873dfcdd9cf1e42
github.com/portainer/portainer/releases/tag/2.33.8
github.com/portainer/portainer/security/advisories/GHSA-m8fg-67j7-cx4v
nvd.nist.gov/vuln/detail/CVE-2026-44885

Code Behaviors & Features

Detect and mitigate CVE-2026-44885 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →