Understanding the oras-go Credential Forwarding Vulnerability via Unvalidated Location Header
The oras-go library is vulnerable to a credential forwarding issue due to an unvalidated Location header during the monolithic blob upload flow. This allows an attacker to leak credentials to an attacker-controlled endpoint and perform client-side SSRF. The vulnerability affects versions prior to 2.6.1 and is tracked under CVE-2026-50151.