VYPR
High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026

CVE-2026-33540

CVE-2026-33540

Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/distribution/distribution/v3Go
< 3.1.03.1.0
github.com/distribution/distributionGo
<= 2.8.3

Affected products

18

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.