CVE-2026-50162
Received Received - Intake

Path Traversal in oras-go Library

Vulnerability report for CVE-2026-50162, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, resolveWritePath() in content/file/file.go uses a lexical filepath.Rel check for workingDir and does not account for symlink traversal, so when AllowPathTraversalOnWrite=false an attacker-controlled blob title through ocispec.AnnotationTitle such as out/pwn.txt can follow a workingDir symlink out -> /some/outside/dir and cause pushFile() to create /some/outside/dir/pwn.txt outside workingDir. This issue is fixed in version 2.6.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
oras-project oras-go to 2.6.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in oras-go (versions v2.6.0 and earlier) is a symlink traversal issue in the file content store. When AllowPathTraversalOnWrite is false, the system tries to restrict writes to a working directory using a lexical check with filepath.Rel. However, this check does not account for symlinks. If the working directory contains a symlink pointing outside, an attacker can provide a blob title that includes a path under the symlink, causing the system to write files outside the intended directory despite the restriction.

Detection Guidance

To detect this vulnerability, inspect systems using oras-go v2.6.0 or earlier for symlink-based path traversal attempts. Check logs for file writes outside intended directories or unusual blob titles containing path components like out/pwn.txt. Use commands like find / -type l -ls to identify symlinks in working directories and audit file creation operations in oras-go applications.

Impact Analysis

An attacker could exploit this to write files outside the intended working directory. This could lead to unauthorized file creation, data corruption, or overwriting sensitive files. If the application handles sensitive data, this might allow access to or modification of restricted files, potentially compromising system integrity or confidentiality.

Compliance Impact

This vulnerability could lead to unauthorized access or modification of sensitive data, violating confidentiality and integrity requirements in GDPR and HIPAA. It may result in data breaches, unauthorized disclosure, or tampering with protected health information, potentially leading to legal penalties, loss of trust, and compliance violations.

Mitigation Strategies

Upgrade oras-go to version 2.6.1 or later. If upgrading is not immediately possible, implement filesystem-relative operations like openat() or add symlink checks in resolveWritePath() to validate resolved directories. Disable AllowPathTraversalOnWrite if not required and audit file paths for symlink traversal attempts in existing configurations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart