Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Wed, 28 Jan 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 28 Jan 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue. | |
| Title | Podman Desktop Extension System Vulnerable to Authentication Bypass | |
| Weaknesses | CWE-285 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-01-28T21:21:17.125Z
Reserved: 2026-01-27T14:51:03.058Z
Link: CVE-2026-24835
Vulnrichment
Updated: 2026-01-28T21:21:12.764Z
NVD
Status : Received
Published: 2026-01-28T21:16:12.947
Modified: 2026-01-28T21:16:12.947
Link: CVE-2026-24835
Redhat
No data.
OpenCVE Enrichment
No data.