SSRF Vulnerability in Oras-Go Library from the Open Container Initiative
CVE-2026-48978

2.1LOW

Key Information:

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-48978?

The Oras-Go library, utilized for managing OCI artifacts, contains a vulnerability that allows an attacker to exploit the library's inability to validate the scheme or host from the realm URL in a registry's WWW-Authenticate: Bearer challenge. This flaw enables a malicious registry to perform Server-Side Request Forgery (SSRF) attacks against internal networks, potentially exposing sensitive endpoints such as http://169.254.169.254/ or http://10.0.0.x/. Consequently, this vulnerability poses a significant risk, especially when the library improperly downgrades secure registry communications from HTTPS to HTTP during token retrieval processes.

Affected Version(s)

oras-go < 2.6.1

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.