Description
Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious container image that contains a symlink in the WORKDIR field can cause the container runtime to resolve that symlink and create a new directory or modify ownership on the host filesystem. The vulnerability is a classic path traversal flaw (CWE‑59) that allows an attacker to influence a container's filesystem operations to reach unintended locations on the host. While the ability to change ownership is limited by the need for a race condition or an additional untrusted process, the ability to create directories or files can be leveraged for persistence or to facilitate further attacks. The impact is local but can lead to privilege escalation or tampering of host data if the attacker gains sufficient control.

Affected Systems

Podman Container Tools, Podman, versions 3.0.0 through 5.7.1 are affected; the fix is included in 5.7.1 and later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity and the EPSS score is < 1%, meaning no quantified exploitation likelihood is currently reported. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires a malicious container image and the ability to resolve a symlink during WORKDIR processing, the attack vector is likely local but could be leveraged by users who pull untrusted images or run privileged containers. The risk to a host is significant if the attacker can influence where files are written or directories are created on the host filesystem.

Generated by OpenCVE AI on June 30, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Podman to version 5.7.1 or later to apply the vendor patch.
  • Verify that any container images used have no symbolic links in the WORKDIR path; scan images with appropriate tools or CI checks.
  • When upgrading immediately is not possible, run containers in rootless mode and enforce strict image security policies to limit the impact of any remaining flaws.

Generated by OpenCVE AI on June 30, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6r4-3wmg-fwcq Podman: WORKDIR symlink traversal vulnerability
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Podman-container-tools
Podman-container-tools podman
Vendors & Products Podman-container-tools
Podman-container-tools podman

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.
Title Podman: WORKDIR symlink traversal vulnerability
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Podman-container-tools Podman
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:31:36.842Z

Reserved: 2026-06-17T00:13:10.650Z

Link: CVE-2026-55686

cve-icon Vulnrichment

Updated: 2026-06-26T18:31:32.567Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T16:30:41Z

Links: CVE-2026-55686 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T01:45:03Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')

  • CWE-61

    UNIX Symbolic Link (Symlink) Following