Information disclosure via malicious container image environment variables
Summary
Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0. A flaw was found in Podman, a tool for managing OCI containers and pods. A malicious container image can be crafted with an environment variable that has a key but no value, or an asterisk (*), to trick Podman. This vulnerability causes Podman to pass host environment variables into the container. Consequently, a malicious image could exfiltrate all Podman environment variables set in the session from which the container is launched, leading to information disclosure. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-914. Fixed by RHSA-2026:29954 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- podman-main-6.0.0-1.hum1
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
- podman-main-6.0.0-1.hum1
- RHSA-2026:29954
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.