CVE-2026-55092 in trivy
Summary
by MITRE • 06/25/2026
Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a crafted annotation that resolves to a path outside the intended destination, causing Trivy to write the layer content to an arbitrary location on the host filesystem. This vulnerability is fixed in 0.71.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability affects Trivy security scanner versions prior to 0711 where the software fails to properly validate file paths during OCI artifact downloads. The flaw stems from Trivy directly using the orgopencontainersimagetitle annotation value from artifact manifests as destination filenames without any sanitization or path validation checks. When an attacker can influence the artifact being fetched, they can craft a malicious manifest containing a specially crafted title annotation that resolves to a path outside the intended download directory. This allows the attacker to write layer content to arbitrary locations on the host filesystem, potentially leading to privilege escalation, data corruption, or system compromise through write operations in sensitive directories.
The technical implementation of this vulnerability demonstrates a classic path traversal flaw where the application blindly trusts metadata provided by external sources without proper input validation. The orgopencontainersimage.title annotation is part of the Open Container Initiative specification for container image metadata, but Trivy's implementation fails to sanitize this input before using it as a file path. This type of vulnerability maps directly to CWE-22 Path Traversal and CWE-73 Referencing Resources Using External Input, where external input is used to construct file paths without proper validation or sanitization. The vulnerability can be exploited through the attack vector described in MITRE ATT&CK technique T1059 Command and Scripting Interpreter, specifically targeting file system write operations that could lead to privilege escalation.
The operational impact of this vulnerability extends beyond simple file system manipulation as it represents a critical security flaw that could enable attackers to compromise the host system. An attacker who can control an artifact being fetched by Trivy could potentially overwrite critical system files, inject malicious code into existing binaries, or create backdoor files in privileged directories. The vulnerability is particularly concerning in automated environments where Trivy might be used to scan artifacts from untrusted sources, as it could be exploited during routine scanning operations without explicit user interaction. Additionally, the attack requires minimal privileges to set up and could potentially be combined with other vulnerabilities to achieve more severe outcomes.
Mitigation strategies for this vulnerability include upgrading to Trivy version 0711 or later where proper path validation has been implemented. Organizations should also implement network segmentation and access controls to limit which artifacts can be fetched by Trivy scanners, particularly in environments where untrusted content might be processed. Additional protective measures include running Trivy with minimal privileges, implementing strict file system permissions on download directories, and monitoring for unusual file system write operations that could indicate exploitation attempts. Security teams should also consider implementing artifact signing and verification processes to ensure the integrity of scanned artifacts before allowing them to be downloaded by security tools. The fix implemented in version 0711 likely includes path validation logic that sanitizes or rejects potentially malicious file paths derived from external annotations, preventing the use of relative path components like dotdot slash sequences that could lead to directory traversal.