CVE-2026-57231
Received Received - Intake
Environment Variable Leak in Podman Container

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk (*) will cause podman to pass all host variables into the container. So essentially a malicious image can exfiltrate all podman environment variables that are set in the session from where the container is launched. This vulnerability is fixed in 5.8.4 and 6.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57231
EUVD
EUVD-2026-39807
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
podman podman From 1.8.1 (inc) to 5.8.4 (exc)
podman podman 5.8.4
podman podman 6.0.0
podman podman to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Podman occurs when a container image contains an environment variable with only a key and no value. Podman mistakenly passes host environment variables into the container in such cases. If an asterisk (*) is used as the environment variable, Podman passes all host environment variables into the container. This allows a malicious container image to exfiltrate all environment variables from the host session where the container is launched.

The root cause is that Podman reuses parsing logic designed for command-line arguments, which does not properly validate environment variables in the image configuration. The vulnerability affects Podman versions from 1.8.1 up to 5.8.3 and versions below 6.0.0 in the v6 series.

The issue is fixed by rejecting invalid environment variable formats in the image spec, requiring variables to be in the proper key=value format.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by allowing a malicious container image to access and exfiltrate host environment variables. Since environment variables often contain secrets, credentials, or configuration data, this can compromise confidentiality.

Because the vulnerability allows leaking of host environment variables without any user interaction or privileges, it poses a high confidentiality risk. Attackers can exploit this to gain sensitive data from the host environment where Podman containers are run.

Users are advised not to run untrusted container images and to inspect image environment variables for malformed entries to mitigate this risk.

Detection Guidance

This vulnerability can be detected by inspecting container images for environment variables that are malformed, specifically those that contain only a key without a value or use an asterisk (*). Such malformed environment variables can cause Podman to leak host environment variables into the container.

Users are advised to inspect image configurations before execution to identify any environment variables that do not follow the key=value format.

While no explicit commands are provided in the resources, a practical approach would be to examine the environment variables defined in container images using Podman commands such as:

  • podman inspect <image-name> --format '{{json .Config.Env}}'
  • Look for entries that are keys without values or contain an asterisk (*)

Additionally, monitoring container runtime behavior for unexpected environment variable leaks or unusual network activity could help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, users should upgrade Podman to version 5.8.4 or later, or version 6.0.0 or later, where the issue is fixed.

Until the upgrade is applied, users should avoid running untrusted container images, especially those that might contain malformed environment variables.

Inspect container images for environment variables that do not conform to the key=value format and reject or avoid using images that contain such malformed entries.

The fix involves stricter parsing of environment variables, rejecting invalid formats, so applying the patch or updated Podman version will prevent host environment variable leakage.

Compliance Impact

This vulnerability allows a malicious container image to exfiltrate all Podman environment variables set in the host session where the container is launched. Since environment variables can contain sensitive information, this unauthorized data exposure poses a confidentiality risk.

Such unauthorized disclosure of sensitive host environment data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or sensitive information.

Therefore, if environment variables contain regulated or sensitive data, this vulnerability could compromise compliance by enabling data leakage from the host to a container.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart