Apple container CVE-2026-28909
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.
AnalysisAI
Credential exposure in Apple container allows unauthenticated remote attackers to steal registry credentials in plaintext when users connect to malicious registries with hostnames matching specific bypass patterns. The vulnerability affects container versions prior to 0.12.3 and requires user interaction to establish a connection to a malicious registry. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.
Technical ContextAI
The vulnerability exploits a flaw in hostname validation logic (CWE-522: Insufficient Logging) within the container registry authentication mechanism. The bypass pattern allows attackers to craft hostnames that evade credential filtering protections, causing the application to transmit authentication tokens in cleartext rather than through secured channels. This is a credential exposure issue rather than a traditional authentication bypass, suggesting the registry client either fails to apply expected protections (HTTPS enforcement, credential masking) or incorrectly parses hostname patterns that should trigger those protections. The affected product is Apple's container software, likely a container runtime or container image management tool.
RemediationAI
Upgrade Apple container to version 0.12.3 or later immediately. This patched version fixes the hostname bypass pattern that exposed credentials. The fix likely implements stricter hostname validation and ensures credentials are only transmitted over secured channels (HTTPS with certificate validation) regardless of hostname format. No workarounds are available for unpatched versions other than preventing users from connecting to untrusted registries via policy enforcement-instruct users to only authenticate against known, internal registries managed by your organization. If upgrading is blocked by compatibility constraints, implement network-level controls: block outbound registry connections to all but explicitly whitelisted internal registries, and monitor for suspicious registry connection attempts. See Apple's security advisory at https://github.com/apple/container/security/advisories/GHSA-m5rp-xcpf-r8m7 for detailed patch notes.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today