PT-2026-55208 · Oras-Go · Oras-Go

Published

2026-07-01

·

Updated

2026-07-06

·

CVE-2026-48978

CVSS v4.0

2.1

Low

VectorAV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions oras.land/oras-go/v2 versions prior to v2.6.1
Description The auth.Client in oras-go follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. This can be abused by a malicious or compromised registry, or via a man-in-the-middle attack on plaintext connections, to perform the following:
  1. Server-Side Request Forgery (SSRF): By providing a realm pointing to internal networks (such as AWS/Azure IMDS, RFC 1918, or loopback addresses), an attacker can force the client to issue outbound HTTP requests to internal endpoints. This can be used for service discovery or probing internal networks from within the user's trust boundary.
  2. TLS Downgrade: A registry contacted via https:// can return a realm using the http:// scheme, causing the client to send credentials over plaintext to the token endpoint, bypassing the intended transport security.
The issue occurs in registry/remote/auth/client.go within the Client.Do(), Client.fetchBearerToken(), fetchDistributionToken(), and fetchOAuth2Token() functions, where the realm parameter from parseChallenge is passed to http.NewRequestWithContext without validation.
Recommendations Update oras.land/oras-go/v2 to version v2.6.1 or later. As a temporary mitigation, use the Client.TrustedRealmHosts allowlist to restrict realm forwarding to trusted hosts.

Fix

Cleartext Transmission of Sensitive Information

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48978
GHSA-XF85-363P-868W
OPENSUSE-SU-2026:11186-1
OPENSUSE-SU-2026:11187-1

Affected Products

Oras-Go