CVE-2026-41888 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-41888

CVE-2026-41888

Published:May 14, 2026

Updated:May 18, 2026

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.

Affected Packages

github.com/distribution/distribution/v3 (GO):

Affected version(s) >=v2.0.0-alpha.0 <v3.1.1

Fix Suggestion:

Update to version v3.1.1

Related Resources (3)

https://github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592

https://nvd.nist.gov/vuln/detail/CVE-2026-41888

https://github.com/distribution/distribution

Do you need more information?

CVSS v4

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Weakness Type (CWE)

Incorrect Authorization

CWE-863

EPSS

Base Score:

0.04