CVE-2026-24835 HIGH

CVE-2026-24835: Podman Desktop Extension System Vulnerable to Authentication Bypass

Vendor Podman-Desktop
Product podman-desktop
Weakness CWE-285
Published January 28, 2026
Last update January 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated