CVE Catalog

CVE-2026-57231

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

Podman from version 1.8.1 to 5.8.4 contains a vulnerability where a container image with an environment variable containing only a key without a value can trick Podman into passing that variable from the host into the container. Using an asterisk (*) causes all host variables to be passed, allowing a malicious image to exfiltrate Podman environment variables from the session where the container is launched.

Risk Assessment

The organization is at risk of leaking sensitive environment variables (e.g., tokens, passwords) set in the container launch session, potentially leading to unauthorized access to systems and data.

Recommendation

Immediately update Podman to version 5.8.4 or 6.0.0, which contain the fix for this vulnerability.

Original NVD description (English source)

Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS