7.5
CVE-2026-57231
- EPSS 0.26%
- Veröffentlicht 26.06.2026 16:29:02
- Zuletzt bearbeitet 06.07.2026 13:30:12
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Podman: Malformed Image can trick podman run into leaking host environment variables into the container
Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Podman Project ≫ Podman Version >= 1.8.1 < 5.8.4
Podman Project ≫ Podman Version6.0.0 Updaterc1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.173 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
https://github.com/podman-container-tools/podman/security/advisories/GHSA-4hq8-gpf5-8p68
https://github.com/podman-container-tools/podman/commit/6c431b73dbf8e4b20b778644d7a80caebdb75050