Is github.com/containers/buildah affected by CVE-2026-44517?

Go github.com/containers/buildah is affected in >= 1.38.1 < 1.43.2.

← All vulnerabilities

MEDIUMSupply chain

CVE-2026-44517

Go · github.com/containers/buildah

Summary

Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive

Advisory details

Impact

When processing a build contexts or add/copy instructions, a malicious server serving a Git repository or a tar archive file can cause files outside of the build context directory to be included in the build context or copied into the build.

Patches

Fixed in Buildah 1.44 and 1.43.2.

References

https://github.com/advisories/GHSA-49p4-px3h-rq49
https://github.com/containers/buildah/security/advisories/GHSA-49p4-px3h-rq49
https://github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49

Related vulnerabilities

All Supply chain →

CRITICALCVE-2026-54352
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
HIGHGHSA-74p7-6h78-gw8p
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery
MEDIUMCVE-2026-31978
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
HIGHGHSA-869j-r97x-hx2g
Anki's local HTTP server does not sufficiently validate requests
HIGHGHSA-cc8f-fcx3-gpjr
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
MEDIUMGHSA-4xgf-cpjx-pc3j
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size