Vulnerabilities ›

CVE-2026-41888

Medium ⚡ Exploit Available

CWE-863 — Weakness Type

                    Published: May 14, 2026                      ·  Modified: May 17, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.

🤖 AI Executive Summary

CVE-2026-41888 is a vulnerability in Distribution container toolkit versions prior to 3.1.1 that allows unauthorized tag deletion despite disabled deletion policies. The flaw bypasses the storage.delete.enabled configuration, enabling API clients to remove repository tags without proper authorization.

📄 Description (Arabic)

ثغرة في Distribution تسمح بحذف علامات الحاويات عند نقطة نهاية DELETE /v2/<name>/manifests/<tag> حتى عندما يكون الحذف معطلاً. تؤثر الثغرة على الإصدارات السابقة للإصدار 3.1.1 وتم إصلاحها في هذا الإصدار.

🤖 ملخص تنفيذي (AI)

This vulnerability affects Distribution container toolkit versions before 3.1.1, allowing unauthorized deletion of container image tags even when deletion is explicitly disabled. The flaw bypasses security configurations that prevent tag removal from repositories.

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 02:01

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom energy government healthcare

🎯 MITRE ATT&CK Techniques

T1578.003 T1485

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade Distribution toolkit to version 3.1.1 or later immediately. Verify storage.delete.enabled configuration is properly enforced. Implement network-level access controls to restrict DELETE requests to the /v2/<name>/manifests/<tag> endpoint. Audit container registries for unauthorized tag deletions and review access logs for suspicious API activity.

🔧 خطوات المعالجة (العربية)

قم بترقية أداة Distribution إلى الإصدار 3.1.1 أو أحدث فوراً. تحقق من أن إعدادات storage.delete.enabled مطبقة بشكل صحيح. طبق عناصر تحكم في الوصول على مستوى الشبكة لتقييد طلبات DELETE. قم بتدقيق السجلات للتحقق من حذف العلامات غير المصرح به.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2

🔵 SAMA CSF

AC-3 AC-6

🟡 ISO 27001:2022

A.9.1.1 A.9.2.1 A.9.4.3

🔗 References & Sources 2

🔗

https://github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592

security-advisories@github.com

Exploit Vendor Advisory

🔗

https://github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

distribution:distribution

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-863

EPSS0.02%

Exploit ✓ Yes

Patch ✗ No

Published 2026-05-14

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

exploit-available CWE-863

🏢 Vendor Advisories

🔗 https://github.com/distribution/distribution/securit... 🔗 https://github.com/distribution/distribution/securit...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-41888

Introduce Yourself

Sign In Required