Platform
docker
Component
podman-desktop
Fixed in
1.26.3
CVE-2026-34045 affects Podman Desktop versions prior to 1.26.2. This vulnerability stems from an unauthenticated HTTP server within Podman Desktop, enabling remote attackers to trigger denial-of-service (DoS) conditions and extract sensitive information. Successful exploitation can lead to application crashes or even a complete host freeze, impacting container development workflows.
The primary impact of CVE-2026-34045 is a denial-of-service. An attacker can remotely exhaust file descriptors and kernel memory by abusing missing connection limits and timeouts within the unauthenticated HTTP server. This can result in Podman Desktop becoming unresponsive or, in severe cases, freezing the entire host system. Beyond DoS, verbose error responses expose internal paths and system details, including usernames on Windows systems. This information can be leveraged for further reconnaissance and potential exploitation, expanding the attack surface.
CVE-2026-34045 was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the ease of exploitation (unauthenticated access) suggests a potential for rapid development of such tools.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34045 is to upgrade Podman Desktop to version 1.26.2 or later. If an immediate upgrade is not feasible, consider implementing network-level restrictions to limit external access to the Podman Desktop HTTP server. While a direct WAF rule is unlikely, restricting inbound connections to the Podman Desktop process can reduce the attack surface. Monitor Podman Desktop logs for unusual activity, specifically looking for excessive connection attempts or error messages related to resource exhaustion.
Update Podman Desktop to version 1.26.2 or higher to mitigate the vulnerability. This update corrects the connection handling and timeout deficiencies that allow denial-of-service attacks and the exposure of sensitive information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34045 is a high-severity vulnerability in Podman Desktop versions 1.0.0–<1.26.2 that allows an unauthenticated attacker to trigger a denial-of-service and extract sensitive information.
You are affected if you are using Podman Desktop versions 1.0.0 through 1.26.1. Check your version and upgrade immediately.
Upgrade Podman Desktop to version 1.26.2 or later to resolve this vulnerability. Consider network restrictions as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the official Podman Desktop release notes and security advisories on the Podman Desktop website for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.