Description
Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a crafted annotation that resolves to a path outside the intended destination, causing Trivy to write the layer content to an arbitrary location on the host filesystem. This vulnerability is fixed in 0.71.1.
Published: 2026-06-25
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Trivy, a container vulnerability scanner, stores OCI artifact layers to disk using the org.opencontainers.image.title annotation from the manifest as the destination filename. Before version 0.71.1 this value is accepted without validation. An attacker able to influence which artifact Trivy retrieves can supply a crafted annotation that resolves to a path outside the intended extraction directory, causing Trivy to write the layer contents to an arbitrary file on the host filesystem. This flaw permits unauthorized file creation or overwriting, potentially allowing modification of configuration files, installation of malicious payloads, or subsequent local code execution, thereby endangering the integrity and confidentiality of the host environment.

Affected Systems

Affected systems are installations of Trivy produced by Aquasecurity with a version older than 0.71.1. Any instance of the tool that downloads OCI artifacts is vulnerable, regardless of how it is invoked. The vulnerability is fixed in Trivy 0.71.1 and later releases. There are no known vendor patches for older releases besides updating the tool.

Risk and Exploitability

The flaw carries a CVSS score of 7, classifying it as high severity. Exploitation requires Trivy to fetch a maliciously crafted OCI artifact, which in turn necessitates either control over the registry from which the artifact is pulled or influence over the artifact reference used by the scanner. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalog, indicating that widespread exploitation has not yet been observed. Nevertheless, once the attacker can supply the artifact, the ability to write to arbitrary locations on the host where Trivy runs can lead to privilege escalation or remote code execution if the host permissions are sufficiently high.

Generated by OpenCVE AI on June 25, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Trivy to version 0.71.1 or newer, which validates the annotation before writing files.
  • Limit Trivy's access to trusted OCI registries or use only verified artifacts to prevent downloading attacker‑controlled content.
  • Execute Trivy inside a non‑privileged container or isolated environment so that any arbitrary file writes are confined to a restricted filesystem view.

Generated by OpenCVE AI on June 25, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Aquasecurity
Aquasecurity trivy
Vendors & Products Aquasecurity
Aquasecurity trivy

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a crafted annotation that resolves to a path outside the intended destination, causing Trivy to write the layer content to an arbitrary location on the host filesystem. This vulnerability is fixed in 0.71.1.
Title Trivy: Path traversal via a crafted vulnerability database or other downloaded artifacts
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Aquasecurity Trivy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T02:08:22.309Z

Reserved: 2026-06-16T14:41:54.578Z

Link: CVE-2026-55092

cve-icon Vulnrichment

Updated: 2026-06-26T02:08:17.533Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')