EXECUTIVE SUMMARY:
CVE-2026-50151 with a CVSS score of 7.5 is a server-side request forgery (SSRF) vulnerability affecting the oras-go framework versions prior to 2.6.1. This issue arises because the library fails to validate the `Location` header returned by a registry during the monolithic blob upload process, automatically reusing the `Authorization` header from the initial request for the subsequent operation. An attacker can exploit this flaw by controlling a registry or manipulating its response to provide a cross-host `Location` URL, which triggers the client to forward the original request and its associated credentials to an attacker-controlled endpoint. Successful exploitation allows the attacker to intercept sensitive authentication tokens, effectively achieving credential leakage and client-side SSRF. The business impact is significant as compromised credentials could allow unauthorized access to internal systems or third-party services, leading to potential data breaches or further lateral movement. Exploitation requires that a user or service attempts to upload a blob to a malicious or compromised registry that returns a manipulated `Location` header.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-50151 with a CVSS score of 7.5 is a server-side request forgery (SSRF) vulnerability affecting the oras-go framework versions prior to 2.6.1. This issue arises because the library fails to validate the `Location` header returned by a registry during the monolithic blob upload process, automatically reusing the `Authorization` header from the initial request for the subsequent operation. An attacker can exploit this flaw by controlling a registry or manipulating its response to provide a cross-host `Location` URL, which triggers the client to forward the original request and its associated credentials to an attacker-controlled endpoint. Successful exploitation allows the attacker to intercept sensitive authentication tokens, effectively achieving credential leakage and client-side SSRF. The business impact is significant as compromised credentials could allow unauthorized access to internal systems or third-party services, leading to potential data breaches or further lateral movement. Exploitation requires that a user or service attempts to upload a blob to a malicious or compromised registry that returns a manipulated `Location` header.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jxpm-75mh-9fp7