Command Injection in Podman Affects Windows Systems by Vendor Containers
CVE-2026-33414

4MEDIUM

Key Information:

Vendor: Containers
Status: Podman
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-33414?

Podman, a tool for managing OCI containers and pods, contains a command injection vulnerability that affects versions 4.8.0 to 5.8.1 due to improper sanitization of the VM image path in the HyperV backend. Specifically, the issue arises when the image path is incorporated into a PowerShell double-quoted string, enabling attackers to inject malicious commands through crafted machine names or image directories. This vulnerability allows unauthorized execution of arbitrary PowerShell commands, potentially leading to SYSTEM-level code execution on Windows installations. Users should upgrade to Podman version 5.8.2 or later to mitigate this issue.

Affected Version(s)

podman >= 4.8.0, < 5.8.2

References

https://github.com/containers/podman/security/advisories/...

x_refsource_CONFIRM

https://github.com/containers/podman/commit/571c842bd357e...

x_refsource_MISC

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33414 Data

JSON