Missing Authorization

Summary

Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks. The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operation including installing and enabling plugins -- directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. Administrators and users without Docker endpoint access are not affected. A regular user with access to a Docker endpoint can: Pull an arbitrary plugin from any registry via 'POST /plugins/pull'. Grant it the privileges it requests, including 'CAP_SYS_ADMIN' and host-path mounts. Enable the plugin via 'POST /plugins/{name}/enable', at which point Docker runs the plugin with root privileges on the host. Docker plugins execute as root on the host and can request arbitrary host capabilities and mounts. Enabling a crafted plugin gives the user access to the host filesystem and equivalent to root on the Docker host. This issue affects Portainer versions from 2.33.0 prior to 2.33.8, 2.39.0 prior to 2.39.2 and 2.40.0 prior to 2.41.0.