CVE-2026-41888
Public on 2026-05-14
Modified on 2026-05-22
Description
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | docker | Not Affected | ||
| Amazon Linux 2 - Docker Extra | docker | Not Affected | ||
| Amazon Linux 2 - Ecs Extra | docker | Not Affected | ||
| Amazon Linux 2023 | docker | Not Affected | ||
| Amazon Linux 2 - Docker Extra | runfinch-finch | Not Affected | ||
| Amazon Linux 2023 | runfinch-finch | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
| NVD | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |