CVE-2026-28909
Registry Credential Exposure in Container Runtime
Publication date: 2026-04-30
Last updated on: 2026-05-04
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | container | to 0.12.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when users connect to malicious registries whose hostnames match certain bypass patterns. In such cases, the users' registry credentials are exposed in plaintext, meaning that sensitive authentication information can be intercepted or accessed by attackers.
The issue has been addressed and fixed in container version 0.12.3.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to the exposure of your registry credentials in plaintext to malicious actors. This can result in unauthorized access to your container registries, potentially allowing attackers to manipulate, steal, or disrupt your container images and related resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the container software to version 0.12.3 or later, where the issue is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes registry credentials in plaintext when users connect to malicious registries with specially crafted hostnames. Such exposure of sensitive authentication data can lead to unauthorized access and potential data breaches.
Exposure of sensitive credentials in plaintext may result in non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive information and the implementation of appropriate security measures to prevent unauthorized access.
Therefore, organizations using affected versions of the container package could face compliance risks if this vulnerability is exploited, as it compromises confidentiality of credentials and potentially other sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for registry credentials being sent over unencrypted HTTP connections to hostnames that match the vulnerable prefix patterns such as localhost.*, 127.*, 192.168.*, 10.*, or 172.16.* through 172.31.*.
You can use network packet capture tools like tcpdump or Wireshark to inspect HTTP traffic for plaintext credentials.
- Use tcpdump to capture HTTP traffic on port 80: tcpdump -i <interface> tcp port 80 -A
- Filter captured traffic for suspicious hostnames matching the vulnerable prefixes.
- Search for HTTP requests containing Authorization headers or other credential data in plaintext.
Additionally, check the container version in use; versions up to 0.12.1 are vulnerable, so upgrading to 0.12.3 or later is recommended.