Fedora Account System
Red Hat Associate
Red Hat Customer
oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. A malicious registry can set a realm pointing to internal networks (SSRF to IMDS, RFC 1918) or use http:// scheme to downgrade TLS, causing oras-go to send credentials over plaintext. Affected: oras.land/oras-go/v2 <= v2.6.0. Fixed in v2.6.1.