Description
Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2.
Published: 2026-04-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated HTTP server exposed by Podman Desktop allows attackers to trigger denial‑of‑service conditions and extract confidential information, such as internal paths and Windows usernames, by sending crafted requests; the lack of connection limits or timeouts can exhaust file descriptors and kernel memory, causing the application to crash or the host to freeze. The vulnerability results in both a denial‑of‑service attack and information disclosure, and it is classified with weaknesses in information mismanagement (CWE‑209), access control (CWE‑284), denial‑of‑service (CWE‑400), and resource shortage (CWE‑770).

Affected Systems

Podman Desktop from the vendor podman‑desktop is affected by this flaw in all releases prior to version 1.26.2; the issue applies to installations on any operating system supported by the application, including Windows, where sensitive data such as usernames may be leaked through verbose error messages.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, yet the EPSS score is below 1 %, meaning the likelihood of exploitation remains low at present, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw does not require authentication or user interaction and can be exploited remotely from the network, so the attack vector is likely network-based, and once an attacker gains access, they can cause application or host downtime and obtain confidential system details.

Generated by OpenCVE AI on April 14, 2026 at 01:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Podman Desktop to version 1.26.2 or later, which fixes the exposed webview server.
  • If an update is delayed, configure a firewall or use network segmentation to block external access to the port used by the webview server.
  • Enable logging and monitor for suspicious HTTP traffic or repeated connection attempts.

Generated by OpenCVE AI on April 14, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation podman Desktop
CPEs cpe:2.3:a:linuxfoundation:podman_desktop:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation podman Desktop

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Podman-desktop
Podman-desktop podman-desktop
Vendors & Products Podman-desktop
Podman-desktop podman-desktop

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2.
Title Podman Desktop WebView Server Exposed
Weaknesses CWE-209
CWE-284
CWE-400
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Linuxfoundation Podman Desktop
Podman-desktop Podman-desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T15:44:10.506Z

Reserved: 2026-03-25T15:29:04.745Z

Link: CVE-2026-34045

cve-icon Vulnrichment

Updated: 2026-04-08T15:43:58.531Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T21:17:17.557

Modified: 2026-04-15T23:33:28.323

Link: CVE-2026-34045

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T20:52:32Z

Links: CVE-2026-34045 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:47Z

Weaknesses