CVE-2026-55686: Podman: WORKDIR symlink traversal vulnerability
Running a malicous container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition.
References
- github.com/advisories/GHSA-q6r4-3wmg-fwcq
- github.com/podman-container-tools/podman/commit/7ce2e00ab140c11a68301f0b161f51984131a858
- github.com/podman-container-tools/podman/commit/d18e44e9abb3bf5b7294aa70806e1368fdddfdd0
- github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3wmg-fwcq
- nvd.nist.gov/vuln/detail/CVE-2026-55686
Code Behaviors & Features
Detect and mitigate CVE-2026-55686 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →