PT-2026-54776 · Oras-Go · Oras-Go

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-50151

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions oras-go versions prior to 2.6.0
Description During the monolithic blob upload flow, the software follows a registry-controlled Location header and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, the caller's credentials can be sent to an attacker-controlled endpoint. This issue occurs within the blobStore.completePushAfterInitialPost() function located in registry/remote/repository.go. This can lead to a credential leak and client-side Server-Side Request Forgery (SSRF), where the server is tricked into making requests to an unintended destination.
Recommendations Update oras-go to a version later than 2.6.0. Validate the Location header (including scheme, hostname, and effective port) against the original request before uploading. Implement an explicit opt-in allowlist for cross-host upload URLs. Ensure the Authorization header is never forwarded when the upload target changes host or scheme.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50151
GHSA-JXPM-75MH-9FP7

Affected Products

Oras-Go