CVE-2026-33414
Published: 14 April 2026
Summary
CVE-2026-33414 is a high-severity OS Command Injection (CWE-78) vulnerability in Podman Project Podman. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique PowerShell (T1059.001); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the command injection flaw in Podman versions 4.8.0 through 5.8.1, directly mitigating exploitation via the available fix in 5.8.2.
Mandates validation and sanitization of untrusted VM image path inputs before insertion into PowerShell double-quoted strings, preventing $() subexpression injection.
Enforces least privilege on the Podman process to limit the scope and impact of arbitrary PowerShell command execution even if injection occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Podman HyperV backend enables arbitrary PowerShell subexpression execution (T1059.001) from low-privileged local context, directly resulting in SYSTEM-level code execution via exploitation for privilege escalation (T1068).
NVD Description
Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization,…
more
allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.
Deeper analysisAI
CVE-2026-33414 is a command injection vulnerability in Podman, a tool for managing OCI containers and pods. It affects versions 4.8.0 through 5.8.1, specifically in the HyperV machine backend located at pkg/machine/hyperv/stubber.go. The issue arises when the VM image path is inserted unsanitized into a PowerShell double-quoted string, enabling $() subexpression injection. PowerShell evaluates these subexpressions before executing the outer command, and the vulnerability is exclusive to Windows due to the HyperV backend dependency. The CVSS v3.1 base score is 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), mapped to CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
An attacker with local access and low privileges (PR:L) can exploit this by controlling the VM image path, such as through a crafted machine name or image directory. This allows injection of arbitrary PowerShell commands executed with the privileges of the Podman process. On typical Windows installations, this grants SYSTEM-level code execution, providing high confidentiality, integrity, and availability impacts in a scoped attack (S:C). The high attack complexity (AC:H) stems from the need to manipulate the specific path context.
Podman has addressed the vulnerability in version 5.8.2. The patch commit is available at https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed, and further details are in the security advisory at https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59. Security practitioners should upgrade to 5.8.2 or later on affected Windows systems running Podman.
Details
- CWE(s)