CVE-2026-24845
Credential Exposure via Malicious OCI Image in malcontent
Publication date: 2026-01-29
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard | malcontent | From 0.1.0 (inc) to 1.20.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in malcontent versions 0.10.0 up to before 1.20.3 allows a malicious Docker registry to trick malcontent into exposing Docker registry credentials. It happens because malcontent uses google/go-containerregistry, which by default uses the Docker credential keychain. A specially crafted OCI image reference can cause the registry to send a WWW-Authenticate header that redirects token authentication to an attacker-controlled endpoint, resulting in credentials being sent to the attacker. The issue is fixed in version 1.20.3 by defaulting to anonymous authentication for OCI pulls.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of your Docker registry credentials to an attacker-controlled endpoint. This could allow attackers to gain unauthorized access to your Docker registries, potentially leading to further compromise of your container images, supply chain, or infrastructure.
What immediate steps should I take to mitigate this vulnerability?
Upgrade malcontent to version 1.20.3 or later, as this version fixes the issue by defaulting to anonymous authentication for OCI image pulls, preventing exposure of Docker registry credentials.