Cross-Host Credential Exposure in ORAS-Go Library by Oracle
CVE-2026-50151
7.5HIGH
What is CVE-2026-50151?
The ORAS-Go library, used for managing OCI artifacts, suffers from a vulnerability where it improperly handles the Location header during blob uploads. Specifically, versions prior to 2.6.1 follow a potentially malicious Location header from a registry, reusing the Authorization header from the initial request. This flaw allows attackers operating a malicious registry to redirect users to a controlled endpoint, potentially capturing user credentials. Users are strongly encouraged to upgrade to version 2.6.1 or later to mitigate this risk.
Affected Version(s)
oras-go < 2.6.1
