CVE-2026-28909
Received Received - Intake
Registry Credential Exposure in Container Runtime

Publication date: 2026-04-30

Last updated on: 2026-05-04

Assigner: Apple Inc.

Description
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apple container to 0.12.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when users connect to malicious registries whose hostnames match certain bypass patterns. In such cases, the users' registry credentials are exposed in plaintext, meaning that sensitive authentication information can be intercepted or accessed by attackers.

The issue has been addressed and fixed in container version 0.12.3.

Impact Analysis

If exploited, this vulnerability can lead to the exposure of your registry credentials in plaintext to malicious actors. This can result in unauthorized access to your container registries, potentially allowing attackers to manipulate, steal, or disrupt your container images and related resources.

Mitigation Strategies

To mitigate this vulnerability, update the container software to version 0.12.3 or later, where the issue is fixed.

Compliance Impact

This vulnerability exposes registry credentials in plaintext when users connect to malicious registries with specially crafted hostnames. Such exposure of sensitive authentication data can lead to unauthorized access and potential data breaches.

Exposure of sensitive credentials in plaintext may result in non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive information and the implementation of appropriate security measures to prevent unauthorized access.

Therefore, organizations using affected versions of the container package could face compliance risks if this vulnerability is exploited, as it compromises confidentiality of credentials and potentially other sensitive data.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for registry credentials being sent over unencrypted HTTP connections to hostnames that match the vulnerable prefix patterns such as localhost.*, 127.*, 192.168.*, 10.*, or 172.16.* through 172.31.*.

You can use network packet capture tools like tcpdump or Wireshark to inspect HTTP traffic for plaintext credentials.

  • Use tcpdump to capture HTTP traffic on port 80: tcpdump -i <interface> tcp port 80 -A
  • Filter captured traffic for suspicious hostnames matching the vulnerable prefixes.
  • Search for HTTP requests containing Authorization headers or other credential data in plaintext.

Additionally, check the container version in use; versions up to 0.12.1 are vulnerable, so upgrading to 0.12.3 or later is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart