Back to overview

CVE-2026-48978

LOW
2.1
CVSS 4.0
Description
oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowing a malicious or compromised registry to cause SSRF to internal networks such as http://169.254.169.254/, http://10.0.0.x/, and http://127.0.0.1/, or to downgrade a registry contacted over https:// to an http:// token endpoint in registry/remote/auth/client.go through Client.Do(), Client.fetchBearerToken(), fetchDistributionToken, and fetchOAuth2Token. This issue is fixed in version 2.6.1.

Metadata

CVE ID
CVE-2026-48978
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-26 23:26 UTC
Published
2026-07-17 19:34 UTC
Last updated
2026-07-17 19:34 UTC
Primary CWE
CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product
oras-project / oras-go
Sources
cve.org  ·  NVD

Severity & Metrics

2.1 LOW CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
oras-project oras-go < 2.6.1
Weakness (CWE)
CWESourceDescription
CWE-319 cna CWE-319: Cleartext Transmission of Sensitive Information
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
2.1 LOW 4.0 cna CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References (3)
Back to overview