File Path Traversal in Oras-Go Library Affects OCI Artifact Management
CVE-2026-50162
6.9MEDIUM
What is CVE-2026-50162?
The Oras-Go library, used for managing OCI artifacts, is susceptible to a path traversal vulnerability in its resolveWritePath() function prior to version 2.6.1. This vulnerability allows attackers to manipulate blob titles via the ocispec.AnnotationTitle attribute. Specifically, when AllowPathTraversalOnWrite is set to false, users can create symlinks that traverse outside the expected working directory. As a result, an attacker can potentially push files to unintended directories on the file system, leading to unauthorized file creation and exposure. This security flaw has been addressed in version 2.6.1 of the library.
Affected Version(s)
oras-go < 2.6.1
