CVE-2026-57231
Podman: Malformed Image can trick podman run into leaking host environment variables into the container
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0.
| CWE | CWE-200 CWE-668 |
| Vendor | podman-container-tools |
| Product | podman |
| Published | Jun 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for podman-container-tools podman
Be the first to know when new high vulnerabilities affecting podman-container-tools podman are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
podman-container-tools / podman
>= 1.8.1, < 5.8.4