VYPR
Medium severity6.5GHSA Advisory· Published May 14, 2026· Updated May 15, 2026

CVE-2026-41888

CVE-2026-41888

Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/distribution/distribution/v3Go
< 3.1.13.1.1
github.com/distribution/distributionGo
<= 2.8.3

Affected products

33

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.