Vulnerability Description
Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Podman Project | Podman | >= 3.0.0, < 5.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/podman-container-tools/podman/commit/d18e44e9abb3bf5b7294aa70Patch
- https://github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3ExploitPatchVendor Advisory
- https://github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3ExploitPatchVendor Advisory
FAQ
What is CVE-2026-55686?
CVE-2026-55686 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership ...
How severe is CVE-2026-55686?
CVE-2026-55686 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-55686?
Check the references section above for vendor advisories and patch information. Affected products include: Podman Project Podman.