Description
oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
Published: 2026-07-17
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in oras-go causes the client to forward the Authorization header it received during a blob upload to any host specified in a cross-host Location header returned by the server. The vulnerability, identified as CWE‑522, allows an attacker‑controlled registry to capture the caller’s credentials, resulting in information disclosure. In addition, because the client follows the redirected URI, the flaw can be leveraged to perform client‑side Server‑Side Request Forgery (SSRF) against internal or external targets.

Affected Systems

The issue affects the oras-go library, which is commonly used in OCI‑compatible image registry interactions. No specific vendor or version strings are provided, so all releases that include the monolithic blob upload routine are potentially impacted until a fix is released.

Risk and Exploitability

The CVSS score for this vulnerability is 5.9, indicating medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires an attacker to control a registry endpoint that issues a cross‑host Location header during a blob upload, and the client must be configured to accept the redirect. In environments where clients trust arbitrary registries and do not validate redirect origins, the exploit is likely to succeed.

Generated by OpenCVE AI on July 17, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the oras‑go library to the latest release that includes the fix for credential forwarding during blob uploads.
  • If no patch is available, configure the client to disable automatic following of Location redirects or enforce that the redirect target host matches the original registry domain.
  • Restrict communication to trusted registry endpoints by maintaining a whitelist of registries and blocking untrusted or unknown registries from providing LOCATION headers.

Generated by OpenCVE AI on July 17, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxpm-75mh-9fp7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
History

Fri, 17 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target. oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
Title oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload oras-go: credential forwarding via unvalidated Location header in blob upload
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Wed, 15 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target.
Title oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload
Weaknesses CWE-522
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-17T19:41:11.648Z

Reserved: 2026-06-03T20:54:20.431Z

Link: CVE-2026-50151

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-01T21:35:45Z

Links: CVE-2026-50151 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T03:45:04Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials

  • CWE-918

    Server-Side Request Forgery (SSRF)