CVE-2026-41888

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L                                    

Vulnerability Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 15, 2026

CWE ID

CWE-863

Source

GitHub

Vendor

Product

github.com/distribution/distribution/v3

External References

https://github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592
https://github.com/advisories/GHSA-6pjf-3r9x-m592

CVE-2026-41888

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment