SSRF Vulnerability in Oras-Go Library from the Open Container Initiative
CVE-2026-48978
2.1LOW
What is CVE-2026-48978?
The Oras-Go library, utilized for managing OCI artifacts, contains a vulnerability that allows an attacker to exploit the library's inability to validate the scheme or host from the realm URL in a registry's WWW-Authenticate: Bearer challenge. This flaw enables a malicious registry to perform Server-Side Request Forgery (SSRF) attacks against internal networks, potentially exposing sensitive endpoints such as http://169.254.169.254/ or http://10.0.0.x/. Consequently, this vulnerability poses a significant risk, especially when the library improperly downgrades secure registry communications from HTTPS to HTTP during token retrieval processes.
Affected Version(s)
oras-go < 2.6.1
