Skip to main content

Podman Desktop

2 CVEs product

Monthly

CVE-2026-34045 CRITICAL PATCH Act Now

Denial-of-service and information disclosure in Podman Desktop prior to 1.26.2 stem from an unauthenticated HTTP server that any network attacker can reach without credentials or user interaction. By abusing missing connection limits and timeouts, an attacker exhausts file descriptors and kernel memory to crash the application or freeze the entire host, while verbose error responses leak internal filesystem paths and system details (including Windows usernames). SSVC marks exploitation as proof-of-concept and automatable; publicly available exploit code exists, but EPSS probability is low (0.06%, 19th percentile).

Information Disclosure Kubernetes Microsoft Podman Desktop
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-24835 HIGH POC PATCH This Week

Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.

Authentication Bypass Kubernetes Red Hat Podman Desktop Podman
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Denial-of-service and information disclosure in Podman Desktop prior to 1.26.2 stem from an unauthenticated HTTP server that any network attacker can reach without credentials or user interaction. By abusing missing connection limits and timeouts, an attacker exhausts file descriptors and kernel memory to crash the application or freeze the entire host, while verbose error responses leak internal filesystem paths and system details (including Windows usernames). SSVC marks exploitation as proof-of-concept and automatable; publicly available exploit code exists, but EPSS probability is low (0.06%, 19th percentile).

Information Disclosure Kubernetes Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.

Authentication Bypass Kubernetes Red Hat +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy