Hardlink Target Validation Flaw in oras-go Library by Oracle
CVE-2026-50163

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-50163?

The oras-go library, designed for managing OCI artifacts, prior to version 2.6.2, contains a flaw in the validation of hardlink targets. Specifically, the 'ensureLinkPath' method fails to resolve the target correctly against the extraction base, which may inadvertently expose or alter sensitive files, such as .env, .git/config, .aws/credentials, and ~/.ssh/config. This security limitation allows malicious actors to exploit the process current working directory, thereby creating potential security risks. Upgrading to version 2.6.2 effectively mitigates this vulnerability.

Affected Version(s)

oras-go < 2.6.2

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.