CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2022-27651

The Dangerous Inheritance: How CVE-2022-27651 Broke Container Least Privilege

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·5 min read·17 visits

Executive Summary (TL;DR)

Buildah and Docker Engine (Moby) were initializing containers with a fully populated 'Inheritable' capability set. This violated the principle of least privilege, allowing processes within the container to easily elevate their privileges to the container's maximum bounding set simply by executing binaries with file capabilities set. It's a classic case of "default insecure" configuration.

A deep dive into a subtle but significant flaw in how Buildah and Docker Engine initialized Linux process capabilities. By misconfiguring the Inheritable set, these runtimes allowed unintended privilege escalation within containers, turning the complex mathematics of Linux permissions against the security model.

Official Patches

BuildahBuildah Security Advisory
MobyMoby Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
6.8/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Probability
0.13%
Top 100% most exploited

Affected Systems

Buildah (versions <= 1.24.0)Moby / Docker Engine (versions < 20.10.9)Podman (via Buildah dependency)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Buildah
Containers
<= 1.24.01.25.0
Moby (Docker)
Moby Project
< 20.10.920.10.9
AttributeDetail
CWE IDCWE-276
Attack VectorLocal (Container)
CVSS6.8 (Medium)
ImpactPrivilege Escalation (Intra-Container)
Exploit StatusPoC Available
Vulnerable ComponentOCI Runtime Spec Generation

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation
Privilege Escalation
T1611Escape to Host (Facilitated)
Privilege Escalation
CWE-276
Incorrect Default Permissions

Incorrect Default Permissions

Known Exploits & Detection

GitHub (Vendor Regression Test)Regression tests demonstrating the check for empty CapInh

Vulnerability Timeline

CVE Published
2022-04-04
Patch Committed (Buildah)
2022-03-23
Advisory Released
2022-04-04

References & Sources

  • [1]Linux Capabilities Man Page
  • [2]Buildah Fix Commit
Related Vulnerabilities
GHSA-C3G4-W6CV-6V7H

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 12 hours ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
11 views•8 min read
•about 14 hours ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•about 20 hours ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
7 views•6 min read
•5 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
22 views•6 min read
•5 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read
•5 days ago•GHSA-WW5P-J6CJ-6MQQ
5.5

GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.

Amit Schendel
Amit Schendel
10 views•7 min read