Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-jxpm-75mh-9fp7 | oras-go blob upload vulnerable to credential forwarding via unvalidated Location header |
Fri, 17 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target. | oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1. |
| Title | oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload | oras-go: credential forwarding via unvalidated Location header in blob upload |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV3_1
|
cvssV3_1
|
Wed, 15 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target. | |
| Title | oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload | |
| Weaknesses | CWE-522 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:41:11.648Z
Reserved: 2026-06-03T20:54:20.431Z
Link: CVE-2026-50151
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T03:45:04Z
Github GHSA