diff --git a/core/container/src/podman_client.rs b/core/container/src/podman_client.rs
index 8c9368fd..25f6c805 100644
--- a/core/container/src/podman_client.rs
+++ b/core/container/src/podman_client.rs
@@ -176,7 +176,10 @@ impl PodmanClient {
         for cap in &manifest.app.security.capabilities {
             cmd.arg("--cap-add").arg(cap);
         }
-        
+
+        // Enforce no new privileges (prevent setuid escalation)
+        cmd.arg("--security-opt").arg("no-new-privileges=true");
+
         // Image
         cmd.arg(&manifest.app.container.image);