CVE-2026-48978 in oras-go
Summary
by MITRE • 07/17/2026
oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowing a malicious or compromised registry to cause SSRF to internal networks such as http://169.254.169.254/, http://10.0.0.x/, and http://127.0.0.1/, or to downgrade a registry contacted over https:// to an http:// token endpoint in registry/remote/auth/client.go through Client.Do(), Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token. This issue is fixed in version 2.6.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The oras-go library presents a critical server-side request forgery vulnerability that affects versions prior to 2.6.1, specifically within the authentication client implementation. This flaw resides in the registry/remote/auth/client.go file where the auth.Client component processes WWW-Authenticate: Bearer challenges from registry servers. The vulnerability stems from insufficient validation of the realm URL provided by the registry, allowing attackers to manipulate the authentication flow and redirect token requests to arbitrary internal or external endpoints.
The technical implementation of this vulnerability involves the Client.Do() method and its associated functions including Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token which collectively handle the authentication process. When a malicious registry server responds with a WWW-Authenticate header containing a realm URL, the client blindly follows this redirection without performing any scheme or host validation checks. This behavior creates a path for attackers to craft malicious registry responses that redirect authentication requests to internal network endpoints such as the AWS metadata service at 169.254.169.254/, various private IP ranges like 10.0.0.x/, or localhost addresses at 127.0.0.1/. The vulnerability is particularly dangerous because it can downgrade secure HTTPS connections to insecure HTTP endpoints, exposing the client to man-in-the-middle attacks and potential credential theft.
This security issue directly maps to CWE-918, Server-Side Request Forgery, which describes vulnerabilities where applications fail to validate or sanitize URLs used in server-side requests. The ATT&CK framework categorizes this as a technique for Initial Access and Lateral Movement through the use of compromised credentials obtained via SSRF attacks against internal services. The impact extends beyond simple information disclosure as attackers can potentially access sensitive metadata, retrieve cloud instance credentials, or gain unauthorized access to internal systems that are normally protected by network segmentation.
The operational consequences of this vulnerability are severe for organizations using oras-go in their container orchestration and artifact management workflows. Container registries serving as authentication endpoints become attack vectors that can compromise entire deployment pipelines when clients blindly follow malicious redirects. This issue affects not only direct registry access but also any system that relies on oras-go for artifact management, particularly those in cloud environments where metadata services are accessible via the standard AWS instance metadata endpoint. Organizations must urgently upgrade to version 2.6.1 or later to mitigate this risk, as the vulnerability can be exploited by attackers who compromise a single registry server within an organization's network.
The fix implemented in version 2.6.1 addresses the core issue by introducing proper validation of the realm URL scheme and host parameters before following redirects. This includes verifying that the redirected URL maintains the same security context as the original registry connection, preventing downgrades from HTTPS to HTTP, and ensuring that internal network endpoints cannot be accessed through manipulated authentication flows. The mitigation strategy requires organizations to conduct immediate vulnerability assessments across their container infrastructure and ensure all oras-go dependencies are updated to the patched version to prevent exploitation of this server-side request forgery vulnerability.