Summary "managementServer.CreateSchematic" ("internal/backend/grpc/schematics.go") passes the caller-controlled "TalosVersion" field directly to "imageFactoryClient.OverlaysVersions", which embeds it verbatim into a "fmt.Sprintf("/version/%s/overlays/official", talosVersion)" path template. "url.URL.JoinPath" resolves any "../" sequences in that path, allowing an authenticated Operator to rewrite the URL path and force Omni to issue HTTP GET requests to unintended paths on the configured image-factory server. Error body content from those unintended endpoints is returned to the caller. Severity - Attack Vector: Network: exploited via the gRPC "CreateSchematic" API endpoint. - Attack Complexity: Low: once the attacker holds an Operator credential and has identified a media ID with an overlay, exploitation is a single API call. - Privileges Required: High: "role.Operator" is required, which has administrative capabilities on Omni. - User Interaction: None. - Scope: Unchanged: the traversal is constrained to the configured image-factory host; the attacker cannot redirect Omni to an arbitrary external server. - Confidentiality Impact: Low: error body content from unintended image-factory endpoints is reflected back to the operator, potentially leaking server-internal information. - Integrity Impact: None: only HTTP GET requests are issued; no write operations are performed. - Availability Impact: None. Impact - Same-host path traversal: An authenticated Operator can force Omni to issue GET requests to arbitrary URL paths on the configured image-factory server, bypassing the intended versioned overlay API structure. - Error-body disclosure: HTTP error responses from unintended image-factory endpoints are reflected back to the operator, potentially leaking server-internal diagnostics or sensitive path content. - Internal network probing: In deployments using a private image-factory instance on an internal network, the attacker can probe endpoint existence and partial responses through error-text differences. - Depth control: By varying the number of "../" prefixes in "talosVersion", the attacker can reach any path hierarchy on the image-factory host. Credit This vulnerability was discovered and reported by "bugbunny.ai" (https://bugbunny.ai).