CVE-2026-57231 | Podman is a tool for managing OCI containers and pods. From … | CVSS 7.5 HIGH

Description

Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0.

Metadata

CVE ID: CVE-2026-57231
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-24 02:21 UTC
Published: 2026-06-26 16:29 UTC
Last updated: 2026-06-27 02:41 UTC
Primary CWE: CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product: podman-container-tools / podman
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
podman-container-tools	podman	—	>= 1.8.1, < 5.8.4

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-668	cna	CWE-668: Exposure of Resource to Wrong Sphere

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (2)

https://github.com/podman-container-tools/podman/security/advisories/GHSA-4hq8-gpf5-8p68 https://github.com/podman-container-tools/podman/security/advisories/GHSA-4hq8-gpf5-8p68
https://github.com/podman-container-tools/podman/commit/6c431b73dbf8e4b20b778644d7a80caebdb75050 https://github.com/podman-container-tools/podman/commit/6c431b73dbf8e4b20b778644d7a80caebdb75050