CVE-2026-44517: Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive

June 22, 2026

When processing a build contexts or add/copy instructions, a malicious server serving a Git repository or a tar archive file can cause files outside of the build context directory to be included in the build context or copied into the build.

References

github.com/advisories/GHSA-49p4-px3h-rq49
github.com/containers/buildah/security/advisories/GHSA-49p4-px3h-rq49
github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49
nvd.nist.gov/vuln/detail/CVE-2026-44517

Code Behaviors & Features

Detect and mitigate CVE-2026-44517 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →