Jan 2, 2026·5 min read·17 visits
Buildah and Docker Engine (Moby) were initializing containers with a fully populated 'Inheritable' capability set. This violated the principle of least privilege, allowing processes within the container to easily elevate their privileges to the container's maximum bounding set simply by executing binaries with file capabilities set. It's a classic case of "default insecure" configuration.
A deep dive into a subtle but significant flaw in how Buildah and Docker Engine initialized Linux process capabilities. By misconfiguring the Inheritable set, these runtimes allowed unintended privilege escalation within containers, turning the complex mathematics of Linux permissions against the security model.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Buildah Containers | <= 1.24.0 | 1.25.0 |
Moby (Docker) Moby Project | < 20.10.9 | 20.10.9 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-276 |
| Attack Vector | Local (Container) |
| CVSS | 6.8 (Medium) |
| Impact | Privilege Escalation (Intra-Container) |
| Exploit Status | PoC Available |
| Vulnerable Component | OCI Runtime Spec Generation |
Incorrect Default Permissions
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.
GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.