CVE-2026-55092 - Trivy OCI artifact title path traversal

CVE-2026-55092 - Trivy OCI artifact title path traversal - High - 2026-06-25

Business risk: A scanner job that fetches a malicious OCI artifact can write files outside its workspace on CI or developer hosts.

Root cause: org.opencontainers.image.title is trusted as a destination filename without basename and containment validation.

Affected versions

  • Vulnerable: Trivy before 0.71.1 when fetching attacker-controlled OCI artifacts.
  • Fixed / safe target: Upgrade Trivy to 0.71.1+ and canonicalize artifact annotation filenames before writing layers.
  • CVSS: 7.5 (High)

Exact vulnerable code pattern

name := manifest.Annotations["org.opencontainers.image.title"]
dest := filepath.Join(downloadDir, name)
os.WriteFile(dest, layerBytes, 0600)

Fixed / mitigated code pattern

name := filepath.Base(manifest.Annotations["org.opencontainers.image.title"])
if name == "." || name == string(filepath.Separator) || strings.Contains(name, "..") {
    return fmt.Errorf("invalid OCI artifact title")
}
dest := filepath.Join(downloadDir, name)
if !strings.HasPrefix(filepath.Clean(dest), filepath.Clean(downloadDir)+string(filepath.Separator)) {
    return fmt.Errorf("artifact path escapes download directory")
}
os.WriteFile(dest, layerBytes, 0600)

Step-by-step integration guide

  1. Upgrade every Trivy binary, image, GitHub Action, and CI tool cache to 0.71.1+.
  2. Pin scanner images by digest.
  3. Clear old CI tool caches.
  4. Add a synthetic OCI artifact traversal test if Trivy is wrapped internally.
  5. Deploy scanner jobs with scratch workspaces and least privilege.

Alternative mitigations

  • Do not scan untrusted OCI artifacts with vulnerable Trivy.
  • Run Trivy in an ephemeral container with read-only host mounts.
  • Drop write permissions outside the scan workspace.

Detection signature

rg -n "aquasec/trivy|trivy-action|trivy:|TRIVY_VERSION|org.opencontainers.image.title" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-55092: Trivy OCI artifact title path traversal.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-55092 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, trivy, oci, container, path-traversal, arbitrary-write, sellable_to_devsecops, zero_day_gold, high
  • Affected tech stack: go/container
  • Revenue tags: sellable_to_devsecops, zero_day_gold

References