Search criteria
Related vulnerabilities
GHSA-C66C-VQ6W-FVH5
Vulnerability from github – Published: 2026-06-05 15:25 – Updated: 2026-06-05 15:25
VLAI
Summary
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
Details
Summary
managementServer.CreateSchematic (internal/backend/grpc/schematics.go) passes the caller-controlled TalosVersion field directly to imageFactoryClient.OverlaysVersions, which embeds it verbatim into a fmt.Sprintf("/version/%s/overlays/official", talosVersion) path template. url.URL.JoinPath resolves any ../ sequences in that path, allowing an authenticated Operator to rewrite the URL path and force Omni to issue HTTP GET requests to unintended paths on the configured image-factory server. Error body content from those unintended endpoints is returned to the caller.
Severity
- Attack Vector: Network: exploited via the gRPC
CreateSchematicAPI endpoint. - Attack Complexity: Low: once the attacker holds an Operator credential and has identified a media ID with an overlay, exploitation is a single API call.
- Privileges Required: High:
role.Operatoris required, which has administrative capabilities on Omni. - User Interaction: None.
- Scope: Unchanged: the traversal is constrained to the configured image-factory host; the attacker cannot redirect Omni to an arbitrary external server.
- Confidentiality Impact: Low: error body content from unintended image-factory endpoints is reflected back to the operator, potentially leaking server-internal information.
- Integrity Impact: None: only HTTP GET requests are issued; no write operations are performed.
- Availability Impact: None.
Impact
- Same-host path traversal: An authenticated Operator can force Omni to issue GET requests to arbitrary URL paths on the configured image-factory server, bypassing the intended versioned overlay API structure.
- Error-body disclosure: HTTP error responses from unintended image-factory endpoints are reflected back to the operator, potentially leaking server-internal diagnostics or sensitive path content.
- Internal network probing: In deployments using a private image-factory instance on an internal network, the attacker can probe endpoint existence and partial responses through error-text differences.
- Depth control: By varying the number of
../prefixes intalosVersion, the attacker can reach any path hierarchy on the image-factory host.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siderolabs/omni"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/siderolabs/omni"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45723"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-209",
"CWE-22",
"CWE-441",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T15:25:58Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\n`managementServer.CreateSchematic` (`internal/backend/grpc/schematics.go`) passes the caller-controlled `TalosVersion` field directly to `imageFactoryClient.OverlaysVersions`, which embeds it verbatim into a `fmt.Sprintf(\"/version/%s/overlays/official\", talosVersion)` path template. `url.URL.JoinPath` resolves any `../` sequences in that path, allowing an authenticated Operator to rewrite the URL path and force Omni to issue HTTP GET requests to unintended paths on the configured image-factory server. Error body content from those unintended endpoints is returned to the caller.\n\n## Severity\n\n- **Attack Vector:** Network: exploited via the gRPC `CreateSchematic` API endpoint.\n- **Attack Complexity:** Low: once the attacker holds an Operator credential and has identified a media ID with an overlay, exploitation is a single API call.\n- **Privileges Required:** High: `role.Operator` is required, which has administrative capabilities on Omni.\n- **User Interaction:** None.\n- **Scope:** Unchanged: the traversal is constrained to the configured image-factory host; the attacker cannot redirect Omni to an arbitrary external server.\n- **Confidentiality Impact:** Low: error body content from unintended image-factory endpoints is reflected back to the operator, potentially leaking server-internal information.\n- **Integrity Impact:** None: only HTTP GET requests are issued; no write operations are performed.\n- **Availability Impact:** None.\n\n## Impact\n\n- **Same-host path traversal**: An authenticated Operator can force Omni to issue GET requests to arbitrary URL paths on the configured image-factory server, bypassing the intended versioned overlay API structure.\n- **Error-body disclosure**: HTTP error responses from unintended image-factory endpoints are reflected back to the operator, potentially leaking server-internal diagnostics or sensitive path content.\n- **Internal network probing**: In deployments using a private image-factory instance on an internal network, the attacker can probe endpoint existence and partial responses through error-text differences.\n- **Depth control**: By varying the number of `../` prefixes in `talosVersion`, the attacker can reach any path hierarchy on the image-factory host.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
"id": "GHSA-c66c-vq6w-fvh5",
"modified": "2026-06-05T15:25:58Z",
"published": "2026-06-05T15:25:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siderolabs/omni/security/advisories/GHSA-c66c-vq6w-fvh5"
},
{
"type": "PACKAGE",
"url": "https://github.com/siderolabs/omni"
},
{
"type": "WEB",
"url": "https://github.com/siderolabs/omni/releases/tag/v1.6.6"
},
{
"type": "WEB",
"url": "https://github.com/siderolabs/omni/releases/tag/v1.7.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic"
}