CVE-2026-55092 - Trivy OCI artifact title path traversal arbitrary write
CVE-2026-55092 + Trivy OCI artifact title path traversal arbitrary write + High + 2026-06-25
One-sentence business risk
A scanner trusted by CI can be tricked into writing outside its workspace, threatening build hosts and release credentials.
Research notes
- Root cause: Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation.
- Affected versions: Trivy before 0.71.1 when fetching attacker-controlled OCI artifacts.
- Fixed / safe versions: Trivy 0.71.1 or later.
- Public exploit / PoC signal: public PoC or exploit details are referenced by NVD; use only safe regression tests and do not execute exploit payloads against production.
- CVSS: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Exact vulnerable code pattern
name = manifest.annotations["org.opencontainers.image.title"]
target = os.path.join(download_dir, name)
open(target, "wb").write(layer_bytes)
Fixed / mitigated code pattern
name = pathlib.PurePosixPath(annotation).name
if name in {"", ".", ".."} or any(sep in annotation for sep in ["/", "\\"]):
raise ValueError("unsafe artifact title")
target = (download_dir / name).resolve()
if not str(target).startswith(str(download_dir.resolve()) + os.sep):
raise ValueError("path escape")
target.write_bytes(layer_bytes)
Dependency or runtime update:
trivy --version
# upgrade Trivy to 0.71.1+ in CI images and developer tooling
trivy image --download-db-only
Step-by-step integration guide
- Inventory
aquasecurity/trivyin source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes. - Upgrade or patch to
Trivy 0.71.1 or later; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up. - Replace every vulnerable
path-traversalpattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting. - Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
- Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.
Alternative mitigations
- Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
- Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
- Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
- Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.
Detection signature
id: cve-2026-55092-trivy-oci-artifact-title-path-traversal-arbitrar
source: NVD
package_or_product: "aquasecurity/trivy"
affected: "Trivy before 0.71.1 when fetching attacker-controlled OCI artifacts"
fixed: "Trivy 0.71.1 or later"
cvss: "7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
signals:
- "path-traversal"
- "CVE-2026-55092"
- "aquasecurity/trivy"
action: "upgrade, add a regression test, and verify deploy artifact"
Copy-paste skill
You are remediating CVE-2026-55092 (Trivy OCI artifact title path traversal arbitrary write) in this repository.
Produce a reviewer-ready PR or TRIAGE.md. Inventory aquasecurity/trivy across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply Trivy 0.71.1 or later. Replace the vulnerable path-traversal pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2026-55092,path-traversal,aquasecurity/trivy,NVD. - Affected tech stack:
go/container-security. - Revenue tags:
sellable_to_fintech,enterprise_blocker,high_priority_sla.