Cross-Host Credential Exposure in ORAS-Go Library by Oracle
CVE-2026-50151

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-50151?

The ORAS-Go library, used for managing OCI artifacts, suffers from a vulnerability where it improperly handles the Location header during blob uploads. Specifically, versions prior to 2.6.1 follow a potentially malicious Location header from a registry, reusing the Authorization header from the initial request. This flaw allows attackers operating a malicious registry to redirect users to a controlled endpoint, potentially capturing user credentials. Users are strongly encouraged to upgrade to version 2.6.1 or later to mitigate this risk.

Affected Version(s)

oras-go < 2.6.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.