5.3
CVE-2026-55686
- EPSS 0.32%
- Veröffentlicht 26.06.2026 16:30:41
- Zuletzt bearbeitet 26.06.2026 19:53:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Podman: WORKDIR symlink traversal vulnerability
Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Podman Project ≫ Podman Version >= 3.0.0 < 5.7.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.32% | 0.234 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-61 UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
https://github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3wmg-fwcq
https://github.com/podman-container-tools/podman/commit/d18e44e9abb3bf5b7294aa70806e1368fdddfdd0