File Path Traversal in Oras-Go Library Affects OCI Artifact Management
CVE-2026-50162

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-50162?

The Oras-Go library, used for managing OCI artifacts, is susceptible to a path traversal vulnerability in its resolveWritePath() function prior to version 2.6.1. This vulnerability allows attackers to manipulate blob titles via the ocispec.AnnotationTitle attribute. Specifically, when AllowPathTraversalOnWrite is set to false, users can create symlinks that traverse outside the expected working directory. As a result, an attacker can potentially push files to unintended directories on the file system, leading to unauthorized file creation and exposure. This security flaw has been addressed in version 2.6.1 of the library.

Affected Version(s)

oras-go < 2.6.1

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.