CVE-2026-55686

Published: July 1, 2026Last modified: July 9, 2026

Description

Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.

Severity score breakdown

ParameterValue
Base score5.3
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionNONE
ScopeUNCHANGED
ConfidentialityNONE
Integrity impactLOW
Availability impactNONE
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSpodmanFixed (5.6.2-r9)
25 LTSpodmanFixed (5.6.2-r8)
StreampodmanUnknown (4.5.1-r1)

References

ON THIS PAGE