Medium severity6.5GHSA Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-41888
CVE-2026-41888
Description
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.
Affected products
1- Range: <= 2.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592nvdExploitVendor Advisory
- github.com/advisories/GHSA-6pjf-3r9x-m592ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41888ghsa
News mentions
39- Rocky Linux launches opt-in security repository for urgent fixesHelp Net Security · May 15, 2026
- Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalationTenable Blog · May 14, 2026
- Browser Run: now running on Cloudflare Containers, it’s faster and more scalableCloudflare Blog · May 13, 2026
- GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal DataThe Hacker News · May 13, 2026
- [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- Fedora Hummingbird brings the container security model to a Linux host OSHelp Net Security · May 12, 2026
- The State of Ransomware – Q1 2026Check Point Research · May 11, 2026
- Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chainTenable Blog · May 8, 2026
- Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag, (Fri, May 8th)SANS Internet Storm Center · May 8, 2026
- 'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploitThe Register Security · May 8, 2026
- Massive AI investment scam network spans 15,500 domainsMalwarebytes Labs · May 7, 2026
- How Cloudflare responded to the “Copy Fail” Linux vulnerabilityCloudflare Blog · May 7, 2026
- Google Chrome’s silent 4GB AI download problem [updated]Malwarebytes Labs · May 6, 2026
- Attackers adopt JavaScript runtime Bun to spread NWHStealerMalwarebytes Labs · May 6, 2026
- Insights into the clustering and reuse of phone numbers in scam emailsCisco Talos Intelligence · May 6, 2026
- Attackers are cashing in on fresh 'CopyFail' Linux flawThe Register Security · May 5, 2026
- Meta adds proof-based security to encrypted backupsHelp Net Security · May 5, 2026
- Trellix Source Code Repository BreachedSecurityWeek · May 4, 2026
- Hugging Face, ClawHub Abused for Malware DistributionSecurityWeek · May 1, 2026
- Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerabilityTenable Blog · Apr 30, 2026
- Post-quantum encryption for Cloudflare IPsec is generally availableCloudflare Blog · Apr 30, 2026
- Nine-year-old Linux kernel flaw enables reliable local privilege escalation (CVE-2026-31431)Help Net Security · Apr 30, 2026
- EtherRAT Distribution Spoofing Administrative Tools via GitHub FacadesThe Hacker News · Apr 30, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- Medical and utility tech companies admit digital breakinsThe Register Security · Apr 27, 2026
- TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)SANS Internet Storm Center · Apr 27, 2026
- How cyberattacks on companies affect everyoneMalwarebytes Labs · Apr 23, 2026
- Hypersonic Supply Chain Attacks: One Solution That Didn’t Need to Know the PayloadSentinelOne Labs · Apr 22, 2026
- Malicious trading website drops malware that hands your browser to attackersMalwarebytes Labs · Apr 22, 2026
- Moving past bots vs. humansCloudflare Blog · Apr 21, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the ProxyCheck Point Research · Apr 20, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Redirects for AI Training enforces canonical contentCloudflare Blog · Apr 17, 2026
- Introducing Flagship: feature flags built for the age of AICloudflare Blog · Apr 17, 2026
- Unlocking foundational visibility for cyber-physical systems with OT vulnerability managementTenable Blog · Apr 15, 2026
- Securing the Software Supply Chain: How SentinelOne’s AI EDR Autonomously Blocked the CPU-Z Watering Hole Cyber AttackSentinelOne Labs · Apr 14, 2026
- Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government TargetsCheck Point Research · Mar 31, 2026
- Siemens Ruggedcom RoxCISA Alerts