Hardlink Target Validation Flaw in oras-go Library by Oracle
CVE-2026-50163
7.1HIGH
What is CVE-2026-50163?
The oras-go library, designed for managing OCI artifacts, prior to version 2.6.2, contains a flaw in the validation of hardlink targets. Specifically, the 'ensureLinkPath' method fails to resolve the target correctly against the extraction base, which may inadvertently expose or alter sensitive files, such as .env, .git/config, .aws/credentials, and ~/.ssh/config. This security limitation allows malicious actors to exploit the process current working directory, thereby creating potential security risks. Upgrading to version 2.6.2 effectively mitigates this vulnerability.
Affected Version(s)
oras-go < 2.6.2
