CVE-2026-34045
Published: 07 April 2026
Summary
CVE-2026-34045 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Linuxfoundation Podman Desktop. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements denial-of-service protections such as connection limits and timeouts to prevent resource exhaustion via flooding of the unauthenticated HTTP server.
Restricts error handling to avoid verbose responses that disclose sensitive internal paths, system details, and usernames.
Monitors and controls network communications at boundaries to block unauthorized remote access to the exposed HTTP server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed unauthenticated HTTP server enables remote exploitation of public-facing app (T1190); flooding connections causes application resource exhaustion leading to DoS (T1499.003); verbose errors disclose system details and usernames enabling information discovery (T1082).
NVD Description
Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection…
more
limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2.
Deeper analysisAI
CVE-2026-34045 is a high-severity vulnerability (CVSS 8.2, AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) affecting Podman Desktop, a graphical tool for developing on containers and Kubernetes, in versions prior to 1.26.2. It stems from an exposed unauthenticated HTTP server that lacks connection limits and timeouts, enabling resource exhaustion, as well as verbose error responses that disclose sensitive details (CWE-209, CWE-284, CWE-400).
Network-accessible attackers can exploit this vulnerability remotely without authentication or user interaction. By flooding connections, they can exhaust file descriptors and kernel memory, resulting in application crashes or full host freezes and denial-of-service conditions. Additionally, attackers can extract information like internal paths and system details, including usernames on Windows, to facilitate further attacks.
The issue is addressed in Podman Desktop 1.26.2. Security practitioners should upgrade immediately and review network exposure of Podman Desktop instances. Additional mitigation details are available in the GitHub security advisory at https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-2q88-39rh-gxvv.
Details
- CWE(s)