CVE-2026-24845 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting the malcontent tool developed by chainguard-dev. Malcontent is designed to detect supply-chain compromises by analyzing OCI container images. Versions from 0.10.0 up to but not including 1.20.3 use the google/go-containerregistry library to pull OCI images, which by default utilizes the Docker credential keychain to authenticate with registries. The vulnerability occurs when a malicious Docker registry responds with a crafted WWW-Authenticate HTTP header that redirects token authentication requests to an attacker-controlled endpoint. This causes malcontent to send its stored Docker registry credentials to the attacker’s server, exposing sensitive authentication tokens. The attack vector requires the user to scan a specially crafted OCI image reference, thus involving user interaction, but does not require prior authentication or elevated privileges. The impact is a high confidentiality breach as credentials can be stolen, potentially allowing attackers to access private container registries or perform further supply chain attacks. The issue is mitigated in malcontent version 1.20.3 by switching the default OCI pull authentication mode to anonymous, preventing credential leakage during image pulls from untrusted registries. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk to the confidentiality of Docker registry credentials used by malcontent during supply chain security scans. Exposure of these credentials could allow attackers to access private container images, modify or replace images, and potentially introduce malicious code into the software supply chain. This risk is particularly critical for organizations relying on containerized deployments and DevSecOps pipelines that integrate malcontent for image scanning. Compromise of registry credentials can lead to broader supply chain attacks, undermining trust in software integrity and causing operational disruptions. Additionally, leaked credentials could be used for lateral movement within cloud or on-premises environments. The vulnerability's exploitation requires scanning a malicious image, which could occur if an attacker convinces an analyst or automated system to scan a crafted image from an attacker-controlled registry. European entities with stringent data protection regulations (e.g., GDPR) may also face compliance risks if credential leakage leads to unauthorized access or data breaches.

European organizations should immediately upgrade malcontent to version 1.20.3 or later, which defaults to anonymous authentication for OCI image pulls, eliminating the credential leakage vector. Until upgrade, organizations should restrict malcontent scans to trusted registries only and avoid scanning images from unverified or external sources. Network-level controls can be implemented to block outbound requests to unknown or suspicious registry endpoints. Additionally, auditing and rotating Docker registry credentials regularly can limit the impact of any potential credential exposure. Integrating strict validation and whitelisting of OCI image sources in CI/CD pipelines will reduce the risk of scanning malicious images. Monitoring network traffic for unusual authentication redirects or unexpected outbound connections from scanning hosts can help detect exploitation attempts. Finally, educating security and DevOps teams about this vulnerability and safe scanning practices is essential to prevent inadvertent exposure.