CVE-2026-55686 - Vulnerability Details

- Podman: WORKDIR symlink traversal vulnerability

Description

Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.

Published: 2026-06-26

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A malicious container image that contains a symlink in the WORKDIR field can cause the container runtime to resolve that symlink and create a new directory or modify ownership on the host filesystem. The vulnerability is a classic path traversal flaw (CWE‑61) that allows an attacker to influence a container's filesystem operations to reach unintended locations on the host. While the ability to change ownership is limited by the need for a race condition or an additional untrusted process, the ability to create directories or files can be leveraged for persistence or to facilitate further attacks. The impact is local but can lead to privilege escalation or tampering of host data if the attacker gains sufficient control.

Affected Systems

Podman Container Tools, Podman, versions 3.0.0 through 5.7.1 are affected; the fix is included in 5.7.1 and later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity and the EPSS score is not available, meaning no quantified exploitation likelihood is currently reported. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires a malicious container image and the ability to resolve a symlink during WORKDIR processing, the attack vector is likely local but could be leveraged by users who pull untrusted images or run privileged containers. The risk to a host is significant if the attacker can influence where files are written or directories are created on the host filesystem.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

podman-container-tools

podman

affected

Version	Status	Constraints
`>= 3.0.0, < 5.7.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Podman to version 5.7.1 or later to apply the vendor patch.
Verify that any container images used have no symbolic links in the WORKDIR path; scan images with appropriate tools or CI checks.
When upgrading immediately is not possible, run containers in rootless mode and enforce strict image security policies to limit the impact of any remaining flaws.

Generated by OpenCVE AI on June 26, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-q6r4-3wmg-fwcq	Podman: WORKDIR symlink traversal vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00317.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/podman-container-tools/podman/commit/d18e44e9abb3bf5b7294aa70806e1368fdddfdd0
https://github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3wmg-fwcq

History

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.
Title		Podman: WORKDIR symlink traversal vulnerability
Weaknesses		CWE-61
References		https://github.com/podman-container-tools/podman/commit/d18e44e9abb3bf5b7294aa70806e1368fdddfdd0 https://github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3wmg-fwcq
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T16:30:41.345Z

Updated: 2026-06-26T18:31:36.842Z

Reserved: 2026-06-17T00:13:10.650Z

Link: CVE-2026-55686

Vulnrichment

Updated: 2026-06-26T18:31:32.567Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses

CWE-61
UNIX Symbolic Link (Symlink) Following

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object