Update docker.io/portainer/portainer-ce Docker tag to v2.43.0

v2.43.0: STS

Compare Source

Known issues

• On Async Edge environments, an invalid update schedule date can be displayed when browsing a snapshot

Known issues with Podman support

• Podman environments aren't supported by auto-onboarding script
• It's not possible to add Podman environments via socket, when running a Portainer server on Docker (and vice versa)
• Support for only CentOS 9, Podman 5 rootful

Changes

New and improved features

• GitOps Sources: new Source Creation wizard, Source Detail screen and Source editing, with reuse of existing sources when adding Docker repository stacks and Kubernetes Helm-from-git installs
• Display cached container images per node on Kubernetes
• In-product installation flow for KubeSolo-based single-node edge deployments
• Kubernetes application list and pod logs now default to expanded
• Environment Group Detail View updated with a new sortable-list-based group list UI

Security improvements

• Added a one-time setup token, printed to the server logs at startup, that is required to create the first administrator account or restore a backup on a new, uninitialised instance.
• Implemented an SSRF protection mechanism with a configurable allow-list in settings (off / audit / enforce modes)
• Added an endpoint authorization check to /api/kubernetes/{id}/* routes, preventing users with no access from enumerating Kubernetes resources
• Fixed custom-template user-access checks that bypassed the Resource Control definition, allowing edit/inspect/delete authorization to ignore admins-only / public / team grants
• Filter GET namespace results by the user's allowed-namespace list, returning Forbidden for namespaces the user cannot access
• Bumped golang.org/x/net to v0.55.0 for the following CVEs:
  • CVE-2026-39821, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-42502, CVE-2026-42506
• Bumped golang.org/x/crypto to v0.52.0 for the following CVEs:
  • CVE-2026-39830, CVE-2026-39831, CVE-2026-39832, CVE-2026-39833, CVE-2026-39834, CVE-2026-42508, CVE-2026-46595
• Bumped go.opentelemetry.io/otel to v1.43.0 for the following CVEs:
  • CVE-2026-39882, CVE-2026-39883
• Bumped github.com/go-git/go-git/v5 to v5.19.1 for the following CVEs:
  • CVE-2026-45571, GHSA-w5pp-99ch-qj29, CVE-2026-45570
• Bumped Go stdlib to 1.26.4 for the following CVEs:
  • CVE-2026-42504, CVE-2026-27145, CVE-2026-42507
• Bumped Go to 1.26.3 for the following CVEs:
  • CVE-2026-42499, CVE-2026-39836, CVE-2026-39820, CVE-2026-33814, CVE-2026-33811, CVE-2026-39826, CVE-2026-39823, CVE-2026-39825
• Bumped containerd to 1.7.32 and containerd/v2 to 2.2.4 for the following CVEs:
  • CVE-2026-46680
• Upgraded the kubectl-shell Helm SDK to helm/v4 4.1.4 for the following CVEs:
  • CVE-2026-35204, CVE-2026-35205

Bug fixes

• Fixed edge stacks that could not be deployed (Helm file-path cleared incorrectly)
• Fixed a ZodError (edgeStackId invalid input) when deploying an edge stack from a private repo to a group
• Fixed "Invalid option: expected one of 1|2" error for environments in the waiting room
• Fixed edge agent poll-handler timeouts and deadlocks; stale tunnels are now cleaned up immediately
• Fixed webhook POST returning 404 "Unable to find a webhook with this token" (webhook ID creation in the frontend)
• Fixed Git auto-update polling failures for regular stacks caused by a cancelled deployment context
• Standard users with access permission can again browse and delete private registry images (2.39.2 regression)
• Fixed a 500 error on stack deploy/update when an invalid ECR registry is present; ECR token pre-validation errors now log a warning instead
• Networks assigned to a Docker Swarm service at creation time are now correctly applied to the created service
• Restored YAML syntax highlighting in the web editor
• Improved performance of the image up-to-date status indicator; the UI no longer becomes slow/unresponsive on environments with many containers
• Replaced the agent's docker cp shell-out with the Docker SDK, removing the bundled docker binary; fixed directory archiving
• Pass proxy configuration through to the compose-unpacker container
• Now display a meaningful node count for Docker (non-swarm) on the home page
• Fixed environment up/down summary counts that were the wrong way round
• Fixed "Groups show No Environments" when environments are associated (Environment Groups detail breakdown regression)
• Removed a duplicate success notification on environment group update
• Environment group / home view UI bug fixes and environment-card consistency (long names wrap instead of overflowing)
• Unified Kubernetes application container actions as icon buttons with tooltip hover
• Improved the PVC deletion UX based on workload usage; fixed inability to delete unused Kubernetes volumes
• PVC list now hides system-namespace PersistentVolumeClaims unless "show system resources" is enabled
• Corrected the tooltip description for the pod-restart feature gate
• Made connectivity-test transport errors distinct from other errors (Linux error handling)
• Fixed table views missing horizontal margins
• Restored badge colors that were not visible in dark mode
• Fixed misalignment shown when an environment is down or has no containers

Deprecated and removed features

Deprecated features

None.

Removed features

• Provision KaaS Cluster feature