Skip to main content

Apple container CVE-2026-28909

MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-04-30 apple
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 14:22 vuln.today
CVSS changed
May 01, 2026 - 14:22 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 30, 2026 - 22:45 vuln.today
CVE Published
Apr 30, 2026 - 22:00 nvd
MEDIUM 6.5

DescriptionCVE.org

Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.

AnalysisAI

Credential exposure in Apple container allows unauthenticated remote attackers to steal registry credentials in plaintext when users connect to malicious registries with hostnames matching specific bypass patterns. The vulnerability affects container versions prior to 0.12.3 and requires user interaction to establish a connection to a malicious registry. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.

Technical ContextAI

The vulnerability exploits a flaw in hostname validation logic (CWE-522: Insufficient Logging) within the container registry authentication mechanism. The bypass pattern allows attackers to craft hostnames that evade credential filtering protections, causing the application to transmit authentication tokens in cleartext rather than through secured channels. This is a credential exposure issue rather than a traditional authentication bypass, suggesting the registry client either fails to apply expected protections (HTTPS enforcement, credential masking) or incorrectly parses hostname patterns that should trigger those protections. The affected product is Apple's container software, likely a container runtime or container image management tool.

RemediationAI

Upgrade Apple container to version 0.12.3 or later immediately. This patched version fixes the hostname bypass pattern that exposed credentials. The fix likely implements stricter hostname validation and ensures credentials are only transmitted over secured channels (HTTPS with certificate validation) regardless of hostname format. No workarounds are available for unpatched versions other than preventing users from connecting to untrusted registries via policy enforcement-instruct users to only authenticate against known, internal registries managed by your organization. If upgrading is blocked by compatibility constraints, implement network-level controls: block outbound registry connections to all but explicitly whitelisted internal registries, and monitor for suspicious registry connection attempts. See Apple's security advisory at https://github.com/apple/container/security/advisories/GHSA-m5rp-xcpf-r8m7 for detailed patch notes.

Share

CVE-2026-28909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy