Missing Authorization

Summary

A Security Policy Bypass vulnerability exists in Portainer versions from 2.33.0 prior to 2.33.8, 2.39.0 prior to 2.39.2 and 2.40.0 prior to 2.41.0, where 'EndpointSecuritySettings' restrictions are not properly enforced for Docker Swarm service operations. When a non-admin user with RBAC access to a Swarm endpoint invokes the '/services/create' and '/services/{id}/update' APIs, critical security controls such as Linux capabilities, sysctls, security options (Seccomp/AppArmor), and bind mounts are either partially validated or not validated at all. This allows a low-privileged user to escalate container privileges, apply unrestricted security configurations, and potentially gain access to the host filesystem via crafted service definitions or mount configurations. Additionally, improper validation of volume driver options enables bypass of bind mount restrictions, undermining administrator-defined security policies on Swarm-enabled endpoints.