Cyber Resilience

CVE-2026-24835

HighPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24835 is a high-severity Improper Authorization (CWE-285) vulnerability in Linuxfoundation Podman Desktop. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

Podman Desktop, a graphical tool for developing on containers and Kubernetes, contains a critical authentication bypass vulnerability identified as CVE-2026-24835 in versions prior to 1.25.1. The issue stems from the `isAccessAllowed()` function unconditionally returning `true`, which allows any extension to circumvent permission checks and gain unauthorized access to all authentication sessions. This CWE-285 (Improper Authorization) flaw affects all versions of Podman Desktop prior to the patched release of 1.25.1, with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A local attacker with low privileges can exploit this vulnerability by installing a malicious extension, requiring low complexity and no user interaction. Successful exploitation enables the attacker to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization, resulting in high impacts to confidentiality and integrity.

Podman Desktop version 1.25.1 addresses the vulnerability with a patch. Additional details are available in the GitHub security advisory at https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-v3fx-qg34-6g9m and a supplementary document at https://drive.google.com/file/d/1ib4RG34mGHDlXeyib8L2j9L5rEDxuDM5/view?usp=sharing.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions.…

more

The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Auth bypass (isAccessAllowed always true) directly allows malicious extensions to access/hijack all auth sessions, enabling theft of application tokens/cookies and impersonation via valid cloud accounts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34045Same product: Linuxfoundation Podman Desktop
CVE-2026-40161Same vendor: Linuxfoundation
CVE-2024-24416Same vendor: Linuxfoundation
CVE-2026-25996Same vendor: Linuxfoundation
CVE-2026-27889Same vendor: Linuxfoundation
CVE-2026-32613Same vendor: Linuxfoundation
CVE-2026-27571Same vendor: Linuxfoundation
CVE-2026-33009Same vendor: Linuxfoundation
CVE-2025-68136Same vendor: Linuxfoundation
CVE-2026-23995Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
podman desktop
≤ 1.25.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the access control policy that the flawed isAccessAllowed() function was intended to implement, blocking unauthorized extension access to authentication sessions.

prevent

Limits the privileges granted to extensions so that even a bypassed permission check cannot reach all authentication sessions or sensitive resources.

prevent

Restricts installation and execution of untrusted extensions that would otherwise exploit the unconditional true return value.

References