CVE-2026-28909 PUBLISHED

Assigner: apple
Reserved: 03.03.2026 Published: 30.04.2026 Updated: 30.04.2026

Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.

Product Status

Vendor	Apple
Product	macOS
Versions	affected from 0.12.1 to 0.12.3 (excl.)

References

https://github.com/apple/container/security/advisories/GHSA-m5rp-xcpf-r8m7

Problem Types

Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext.