In EzMaster before 5.2.11 docker containers were executed with advanced privileges by default
Description
EzMaster containers could run with elevated Linux capabilities, allowing an admin user to execute commands as root inside the container.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EzMaster containers could run with elevated Linux capabilities, allowing an admin user to execute commands as root inside the container.
Vulnerability
In EzMaster versions prior to 5.2.11, all launched containers (instances) were executed with advanced Docker capabilities, effectively running as root. This means any admin user could obtain root-level privileges inside a container even when it was not necessary for normal operation. The issue was fixed by making the admin sys mode conditional—by default, no instance is launched with advanced capabilities, and root mode is disabled. [1][2][3]
Exploitation
An attacker with administrative access to the EzMaster management interface could launch or reconfigure an instance, and the container would start with extended Linux capabilities (such as CAP_SYS_ADMIN or similar). No additional user interaction is required beyond standard admin operations; the vulnerable behavior was the default for all instances. [3]
Impact
Successful exploitation allows an admin user to execute arbitrary commands as root inside the container, gaining full control of that container. This could lead to unauthorized access to data, modification of the container’s filesystem, or further pivot attacks against the host if additional container escape techniques are combined. [3]
Mitigation
The vulnerability is fixed in EzMaster version 5.2.11, released as part of the same update. Users should upgrade to 5.2.11 or later to remove default root capabilities. No workaround is available for earlier versions other than upgrading. The advisory notes that all containers are affected before the patch. [2][3]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<5.2.11+ 1 more
- (no CPE)range: <5.2.11
- (no CPE)range: < 5.2.11
Patches
16221a5337d38Version 5.2.11
13 files changed · +19 −19
docker-compose.debug.yml+4 −4 modified@@ -21,7 +21,7 @@ services: ezmaster-api: container_name: ezmaster-api - image: inistcnrs/ezmaster:5.2.10-api + image: inistcnrs/ezmaster:5.2.11-api build: context: ./ezmaster-api args: @@ -65,7 +65,7 @@ services: ezmaster-front: container_name: ezmaster-front - image: inistcnrs/ezmaster:5.2.10-front + image: inistcnrs/ezmaster:5.2.11-front build: context: ./ezmaster-front args: @@ -106,7 +106,7 @@ services: ezmaster-rp: container_name: ezmaster-rp - image: inistcnrs/ezmaster:5.2.10-rp + image: inistcnrs/ezmaster:5.2.11-rp build: context: ./ezmaster-rp args: @@ -133,7 +133,7 @@ services: # webdav access point for ezmaster's instances data folder (using apache2) ezmaster-webdav: container_name: ezmaster-webdav - image: inistcnrs/ezmaster:5.2.10-webdav + image: inistcnrs/ezmaster:5.2.11-webdav build: context: ./ezmaster-webdav args:
docker-compose.yml+4 −4 modified@@ -5,7 +5,7 @@ services: ezmaster-api: container_name: ezmaster-api - image: inistcnrs/ezmaster:5.2.10-api + image: inistcnrs/ezmaster:5.2.11-api links: - ezmaster_db volumes: @@ -43,7 +43,7 @@ services: ezmaster-front: container_name: ezmaster-front - image: inistcnrs/ezmaster:5.2.10-front + image: inistcnrs/ezmaster:5.2.11-front environment: EZMASTER_USER: ${EZMASTER_USER} EZMASTER_PASSWORD: ${EZMASTER_PASSWORD} @@ -62,7 +62,7 @@ services: ezmaster-rp: container_name: ezmaster-rp - image: inistcnrs/ezmaster:5.2.10-rp + image: inistcnrs/ezmaster:5.2.11-rp environment: EZMASTER_UPLOAD_MAX_BODY_SIZE: ${EZMASTER_UPLOAD_MAX_BODY_SIZE} volumes: @@ -79,7 +79,7 @@ services: # webdav access point for ezmaster's instances data folder (using apache2) ezmaster-webdav: container_name: ezmaster-webdav - image: inistcnrs/ezmaster:5.2.10-webdav + image: inistcnrs/ezmaster:5.2.11-webdav volumes: - ./data/instances/:/usr/local/apache2/htdocs/ - ./logs/ezmaster-webdav/:/var/log/apache2/
ezmaster-api/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ezmaster-api", - "version": "5.2.10", + "version": "5.2.11", "description": "ezmaster-api", "main": "index.js", "private": true,
ezmaster-api/package-lock.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ezmaster-api", - "version": "5.2.10", + "version": "5.2.11", "lockfileVersion": 1, "requires": true, "dependencies": {
ezmaster-api/public/index.html+1 −1 modified@@ -15,7 +15,7 @@ <h1>ezMaster API</h1> <footer class="ezfooter"> <hr /> - <p><a href="https://github.com/Inist-CNRS/ezmaster">EzMaster</a> version 5.2.10</p> + <p><a href="https://github.com/Inist-CNRS/ezmaster">EzMaster</a> version 5.2.11</p> </footer> </body> </html> \ No newline at end of file
ezmaster-front/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ezmaster-front", - "version": "5.2.10", + "version": "5.2.11", "description": "ezmaster-front", "private": true, "dependencies": {
ezmaster-front/package-lock.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ezmaster-front", - "version": "5.2.10", + "version": "5.2.11", "lockfileVersion": 1, "requires": true, "dependencies": {
ezmaster-front/src/layout/Footer.js+1 −1 modified@@ -13,7 +13,7 @@ class Footer extends Component { <hr /> <div className="ezmaster-footer-text float-left ml-2"> <a href="https://github.com/Inist-CNRS/ezmaster">EzMaster</a>{" "} - <span>version 5.2.10</span> + <span>version 5.2.11</span> </div> <div className="ezmaster-footer-icon float-right mr-2"> <a href="https://github.com/Inist-CNRS/ezmaster" className="mr-2">
ezmaster-rp/index.html+1 −1 modified@@ -27,7 +27,7 @@ <h1>ezMaster Reverse Proxy</h1> <footer class="ezfooter"> <hr /> - <p><a href="https://github.com/Inist-CNRS/ezmaster">EzMaster</a> version 5.2.10</p> + <p><a href="https://github.com/Inist-CNRS/ezmaster">EzMaster</a> version 5.2.11</p> </footer>
ezmaster-webdav/README.md+1 −1 modified@@ -11,7 +11,7 @@ docker run --name my-webdav-share \ -e DATA_FOLDER_NO_CHMOD=0 \ -v /tmp/:/usr/local/apache2/htdocs/ \ -p 35270:35270 \ - inistcnrs/ezmaster:5.2.10-webdav + inistcnrs/ezmaster:5.2.11-webdav ``` WEBDAV_DATA_FOLDER is the local folder you want to share. The `$WEBDAV_DATA_FOLDER` content rights will be recursivly set to 777 by default. If you do not want this behavior, set the `DATA_FOLDER_NO_CHMOD` env var to `1`
OPERATION.md+1 −1 modified@@ -9,7 +9,7 @@ mkdir ./ezmaster && cd ezmaster mkdir -p ./data/applications ./data/instances ./data/manifests mkdir -p ./logs/ezmaster-front/ ./logs/ezmaster-rp/instances/ ./logs/ezmaster-webdav/ -wget https://raw.githubusercontent.com/Inist-CNRS/ezmaster/5.2.10/docker-compose.yml +wget https://raw.githubusercontent.com/Inist-CNRS/ezmaster/5.2.11/docker-compose.yml export EZMASTER_PUBLIC_IP="<Your ezmaster server IP>" export EZMASTER_FREE_PORT_RANGE="49152-60000" export EZMASTER_FULL_FS_PERCENT=80
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ezmaster", - "version": "5.2.10", + "version": "5.2.11", "description": "Administration of docker applications without any IT skills", "private": true, "scripts": {
package-lock.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "ezmaster", - "version": "5.2.10", + "version": "5.2.11", "lockfileVersion": 1, "requires": true, "dependencies": {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Inist-CNRS/ezmaster/blob/master/CHANGELOG.mdmitrex_refsource_MISC
- github.com/Inist-CNRS/ezmaster/pull/51mitrex_refsource_MISC
- github.com/Inist-CNRS/ezmaster/security/advisories/GHSA-g654-5qjf-g6cxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.