Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-33540 (GCVE-0-2026-33540)
Vulnerability from cvelistv5 – Published: 2026-04-06 14:55 – Updated: 2026-04-06 15:04
VLAI
EPSS
Title
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
Summary
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/distribution/distribution/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| distribution | distribution |
Affected:
< 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33540",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:04:46.763761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:04:50.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "distribution",
"vendor": "distribution",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:55:04.812Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"
}
],
"source": {
"advisory": "GHSA-3p65-76g6-3w7r",
"discovery": "UNKNOWN"
},
"title": "Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33540",
"datePublished": "2026-04-06T14:55:04.812Z",
"dateReserved": "2026-03-20T18:05:11.831Z",
"dateUpdated": "2026-04-06T15:04:50.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33540",
"date": "2026-05-27",
"epss": "0.00055",
"percentile": "0.17293"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33540\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-06T15:17:10.950\",\"lastModified\":\"2026-04-09T18:36:53.427\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:distribution_project:distribution:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"3.1.0\",\"matchCriteriaId\":\"A9736C6D-CC89-49C4-BF90-C1E5F31A82B0\"}]}]}],\"references\":[{\"url\":\"https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33540\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-06T15:04:46.763761Z\"}}}], \"references\": [{\"url\": \"https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-06T15:04:39.539Z\"}}], \"cna\": {\"title\": \"Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm\", \"source\": {\"advisory\": \"GHSA-3p65-76g6-3w7r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"distribution\", \"product\": \"distribution\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r\", \"name\": \"https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-06T14:55:04.812Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33540\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-06T15:04:50.154Z\", \"dateReserved\": \"2026-03-20T18:05:11.831Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-06T14:55:04.812Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cleanstart-2026-ac01087
Vulnerability from cleanstart
Published
2026-04-10 01:03
Modified
2026-04-09 09:55
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the gitness package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "gitness"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the gitness package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-AC01087",
"modified": "2026-04-09T09:55:12Z",
"published": "2026-04-10T01:03:59.042951Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-AC01087.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-30153"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35172"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrw8-fxc6-2r93"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30153"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35172"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-22868",
"CVE-2025-30153",
"CVE-2025-61726",
"CVE-2025-61728",
"CVE-2025-61729",
"CVE-2025-61730",
"CVE-2025-68119",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33540",
"CVE-2026-33810",
"CVE-2026-35172",
"ghsa-4vq8-7jfc-9cvp",
"ghsa-f6x5-jh6r-wrfv",
"ghsa-j5w8-q4qc-rx2x",
"ghsa-vrw8-fxc6-2r93"
]
}
cleanstart-2026-dm93480
Vulnerability from cleanstart
Published
2026-04-10 01:06
Modified
2026-04-09 09:11
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the lvm-driver package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "lvm-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the lvm-driver package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-DM93480",
"modified": "2026-04-09T09:11:04Z",
"published": "2026-04-10T01:06:00.088585Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-DM93480.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47911"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58190"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35172"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47911"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58190"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35172"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-22868",
"CVE-2025-47911",
"CVE-2025-58190",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33540",
"CVE-2026-33810",
"CVE-2026-35172"
]
}
cleanstart-2026-nx54250
Vulnerability from cleanstart
Published
2026-04-10 01:03
Modified
2026-04-09 09:59
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the gitness package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "gitness"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the gitness package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-NX54250",
"modified": "2026-04-09T09:59:33Z",
"published": "2026-04-10T01:03:29.003448Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-NX54250.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-30153"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35172"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrw8-fxc6-2r93"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30153"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35172"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-22868",
"CVE-2025-30153",
"CVE-2025-61726",
"CVE-2025-61728",
"CVE-2025-61729",
"CVE-2025-61730",
"CVE-2025-68119",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33540",
"CVE-2026-33810",
"CVE-2026-35172",
"ghsa-4vq8-7jfc-9cvp",
"ghsa-f6x5-jh6r-wrfv",
"ghsa-j5w8-q4qc-rx2x",
"ghsa-vrw8-fxc6-2r93"
]
}
cleanstart-2026-sv08737
Vulnerability from cleanstart
Published
2026-04-22 00:41
Modified
2026-04-21 09:40
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the gitness package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "gitness"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the gitness package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-SV08737",
"modified": "2026-04-21T09:40:31Z",
"published": "2026-04-22T00:41:58.805478Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-SV08737.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35172"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f2g3-hh2r-cwgc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hfvc-g4fc-pqhx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q9hv-hpm4-hj6x"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61730"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68119"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35172"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-61726",
"CVE-2025-61728",
"CVE-2025-61729",
"CVE-2025-61730",
"CVE-2025-68119",
"CVE-2026-1229",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33540",
"CVE-2026-33810",
"CVE-2026-35172",
"ghsa-4vq8-7jfc-9cvp",
"ghsa-f2g3-hh2r-cwgc",
"ghsa-f6x5-jh6r-wrfv",
"ghsa-hfvc-g4fc-pqhx",
"ghsa-j5w8-q4qc-rx2x",
"ghsa-p77j-4mvh-x3m3",
"ghsa-q9hv-hpm4-hj6x"
]
}
cleanstart-2026-uo31069
Vulnerability from cleanstart
Published
2026-04-10 01:05
Modified
2026-04-09 09:11
Summary
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions
Details
Multiple security vulnerabilities affect the lvm-driver package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "lvm-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the lvm-driver package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-UO31069",
"modified": "2026-04-09T09:11:26Z",
"published": "2026-04-10T01:05:29.587855Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-UO31069.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47911"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-58190"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35172"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47911"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58190"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35172"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions",
"upstream": [
"CVE-2025-47911",
"CVE-2025-58190",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33186",
"CVE-2026-33540",
"CVE-2026-33810",
"CVE-2026-35172"
]
}
FKIE_CVE-2026-33540
Vulnerability from fkie_nvd - Published: 2026-04-06 15:17 - Updated: 2026-04-09 18:36
Severity
Summary
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| distribution_project | distribution | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:distribution_project:distribution:*:*:*:*:*:go:*:*",
"matchCriteriaId": "A9736C6D-CC89-49C4-BF90-C1E5F31A82B0",
"versionEndExcluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0."
}
],
"id": "CVE-2026-33540",
"lastModified": "2026-04-09T18:36:53.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-06T15:17:10.950",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-3P65-76G6-3W7R
Vulnerability from github – Published: 2026-04-06 17:52 – Updated: 2026-04-06 23:42
VLAI
Summary
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
Details
hi guys,
commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31) contact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)
summary
in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. the realm URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL.
this is the same vulnerability class as CVE-2020-15157 (containerd), but in distribution’s pull-through cache proxy auth flow.
severity
HIGH
note: the baseline impact is credential disclosure of the configured upstream credentials. if a deployment uses broader credentials for upstream auth (for example cloud iam credentials), the downstream impact can be higher; i am not claiming this as default for all deployments.
impact
credential exfiltration of the upstream authentication material configured for the pull-through cache.
attacker starting positions that make this realistic: - supply chain / configuration: an operator configures a proxy cache to use an upstream that becomes attacker-controlled (compromised registry, stale domain, or a malicious mirror) - network: MitM on the upstream connection in environments where the upstream is reachable over insecure transport or a compromised network path
affected components
registry/proxy/proxyauth.go:66-81(getAuthURLs): extracts bearerrealmfrom upstreamWWW-Authenticatewithout validating destinationinternal/client/auth/session.go:485-510(fetchToken): uses the realm URL directly for token fetchinternal/client/auth/session.go:429-434(fetchTokenWithBasicAuth): sends credentials via basic auth to the realm URL
reproduction
attachment: poc.zip (local harness) with canonical and control runs.
the harness is local and does not contact a real registry: it uses two local HTTP servers (upstream + attacker token service) to demonstrate whether basic auth is sent to an attacker-chosen realm.
unzip -q -o poc.zip -d poc
cd poc
make canonical
make control
expected output (excerpt):
[CALLSITE_HIT]: getAuthURLs::configureAuth
[PROOF_MARKER]: basic_auth_sent=true realm_host=127.0.0.1 account_param=user authorization_prefix=Basic
control output (excerpt):
[CALLSITE_HIT]: getAuthURLs::configureAuth
[NC_MARKER]: realm_validation=PASS basic_auth_sent=false
suggested remediation
validate that the token realm destination is within the intended trust boundary before associating credentials with it or sending any authentication to it. one conservative option is strict same-host binding: only accept a realm whose host matches the configured upstream host.
fix accepted when
- distribution does not send configured upstream credentials to an attacker-chosen realm URL
- a regression test covers the canonical and blocked cases
addendum.md poc.zip PR_DESCRIPTION.md RUNNABLE_POC.md
best, oleh
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/distribution/distribution/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/distribution/distribution"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33540"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T17:52:52Z",
"nvd_published_at": "2026-04-06T15:17:10Z",
"severity": "HIGH"
},
"details": "hi guys,\n\ncommit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)\ncontact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)\n\n## summary\n\nin pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` challenges returned by the configured upstream registry. the `realm` URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled `realm` URL.\n\nthis is the same vulnerability class as CVE-2020-15157 (containerd), but in distribution\u2019s pull-through cache proxy auth flow.\n\n## severity\n\nHIGH\n\nnote: the baseline impact is credential disclosure of the configured upstream credentials. if a deployment uses broader credentials for upstream auth (for example cloud iam credentials), the downstream impact can be higher; i am not claiming this as default for all deployments.\n\n## impact\n\ncredential exfiltration of the upstream authentication material configured for the pull-through cache.\n\nattacker starting positions that make this realistic:\n- supply chain / configuration: an operator configures a proxy cache to use an upstream that becomes attacker-controlled (compromised registry, stale domain, or a malicious mirror)\n- network: MitM on the upstream connection in environments where the upstream is reachable over insecure transport or a compromised network path\n\n## affected components\n\n- `registry/proxy/proxyauth.go:66-81` (`getAuthURLs`): extracts bearer `realm` from upstream `WWW-Authenticate` without validating destination\n- `internal/client/auth/session.go:485-510` (`fetchToken`): uses the realm URL directly for token fetch\n- `internal/client/auth/session.go:429-434` (`fetchTokenWithBasicAuth`): sends credentials via basic auth to the realm URL\n\n## reproduction\n\nattachment: `poc.zip` (local harness) with canonical and control runs.\n\nthe harness is local and does not contact a real registry: it uses two local HTTP servers (upstream + attacker token service) to demonstrate whether basic auth is sent to an attacker-chosen realm.\n\n```bash\nunzip -q -o poc.zip -d poc\ncd poc\nmake canonical\nmake control\n```\n\nexpected output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[PROOF_MARKER]: basic_auth_sent=true realm_host=127.0.0.1 account_param=user authorization_prefix=Basic\n```\n\ncontrol output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[NC_MARKER]: realm_validation=PASS basic_auth_sent=false\n```\n\n## suggested remediation\n\nvalidate that the token `realm` destination is within the intended trust boundary before associating credentials with it or sending any authentication to it. one conservative option is strict same-host binding: only accept a realm whose host matches the configured upstream host.\n\n## fix accepted when\n\n- distribution does not send configured upstream credentials to an attacker-chosen realm URL\n- a regression test covers the canonical and blocked cases\n\n[addendum.md](https://github.com/user-attachments/files/24984637/addendum.md)\n[poc.zip](https://github.com/user-attachments/files/24984638/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/24984639/PR_DESCRIPTION.md)\n[RUNNABLE_POC.md](https://github.com/user-attachments/files/24984640/RUNNABLE_POC.md)\n\n\nbest,\noleh",
"id": "GHSA-3p65-76g6-3w7r",
"modified": "2026-04-06T23:42:43Z",
"published": "2026-04-06T17:52:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33540"
},
{
"type": "WEB",
"url": "https://github.com/distribution/distribution/commit/cc5d5fa4ba02157501e6afa2cc6a903ad0338e7b"
},
{
"type": "PACKAGE",
"url": "https://github.com/distribution/distribution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm"
}
OPENSUSE-SU-2026:10631-1
Vulnerability from csaf_opensuse - Published: 2026-04-28 00:00 - Updated: 2026-04-28 00:00Summary
distribution-registry-3.1.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: distribution-registry-3.1.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the distribution-registry-3.1.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10631
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
14 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2026-33186/ | self |
| https://www.suse.com/security/cve/CVE-2026-33540/ | self |
| https://www.suse.com/security/cve/CVE-2026-34986/ | self |
| https://www.suse.com/security/cve/CVE-2026-35172/ | self |
| https://www.suse.com/security/cve/CVE-2026-33186 | external |
| https://bugzilla.suse.com/1260085 | external |
| https://www.suse.com/security/cve/CVE-2026-33540 | external |
| https://bugzilla.suse.com/1261793 | external |
| https://www.suse.com/security/cve/CVE-2026-34986 | external |
| https://bugzilla.suse.com/1262805 | external |
| https://www.suse.com/security/cve/CVE-2026-35172 | external |
| https://bugzilla.suse.com/1262096 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "distribution-registry-3.1.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the distribution-registry-3.1.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10631",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10631-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35172 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35172/"
}
],
"title": "distribution-registry-3.1.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-04-28T00:00:00Z",
"generator": {
"date": "2026-04-28T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10631-1",
"initial_release_date": "2026-04-28T00:00:00Z",
"revision_history": [
{
"date": "2026-04-28T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-1.1.aarch64",
"product": {
"name": "distribution-registry-3.1.0-1.1.aarch64",
"product_id": "distribution-registry-3.1.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-1.1.ppc64le",
"product": {
"name": "distribution-registry-3.1.0-1.1.ppc64le",
"product_id": "distribution-registry-3.1.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-1.1.s390x",
"product": {
"name": "distribution-registry-3.1.0-1.1.s390x",
"product_id": "distribution-registry-3.1.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-1.1.x86_64",
"product": {
"name": "distribution-registry-3.1.0-1.1.x86_64",
"product_id": "distribution-registry-3.1.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33540"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33540",
"url": "https://www.suse.com/security/cve/CVE-2026-33540"
},
{
"category": "external",
"summary": "SUSE Bug 1261793 for CVE-2026-33540",
"url": "https://bugzilla.suse.com/1261793"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-33540"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-35172",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35172"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35172",
"url": "https://www.suse.com/security/cve/CVE-2026-35172"
},
{
"category": "external",
"summary": "SUSE Bug 1262096 for CVE-2026-35172",
"url": "https://bugzilla.suse.com/1262096"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.aarch64",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.ppc64le",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.s390x",
"openSUSE Tumbleweed:distribution-registry-3.1.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-28T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-35172"
}
]
}
SUSE-SU-2026:21560-1
Vulnerability from csaf_suse - Published: 2026-05-06 00:44 - Updated: 2026-05-06 00:44Summary
Security update for distribution
Severity
Important
Notes
Title of the patch: Security update for distribution
Description of the patch: This update for distribution fixes the following issues
Security issues:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260283).
- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262951).
- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).
Non security issues:
- add distribution-registry.tmpfiles (jsc#PED-14747).
- distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
- update to 3.1.0
* Adds support for tag pagination
* Fixes default credentials in Azure storage provider
* Drops support for go1.23 and go1.24 and updates to go1.25
* See the full changelog below for the full list of changes.
* docs: Update to refer to new image tag v3
* Fix default_credentials in azure storage provider
* chore: make function comment match function name
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in
the go_modules group across 1 directory
* fix: implement JWK thumbprint for Ed25519 public keys
* fix: Annotate code block from validation.indexes
configuration docs
* feat: extract redis config to separate struct
* Fix: resolve issue #4478 by using a temporary file for non-
append writes
* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
* docs: Add note about `OTEL_TRACES_EXPORTER`
* fix: set OTEL traces to disabled by default
* Fix markdown syntax for OTEL traces link in docs
* Switch UUIDs to UUIDv7
* refactor: replace map iteration with maps.Copy/Clone
* s3-aws: fix build for 386
* docs: Add OpenTelemetry links to quickstart docs
* Fix S3 driver loglevel param
* Fixed data race in TestSchedule test
* Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of
ecdsa keys
* build(deps): bump actions/checkout from 4 to 5
* Fix broken link to Docker Hub fair use policy
* fix(registry/handlers/app): redis CAs
* build(deps): bump actions/labeler from 5 to 6
* build(deps): bump actions/setup-go from 5 to 6
* build(deps): bump actions/upload-pages-artifact from 3 to 4
* build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
* build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
* build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
* chore: labeler: add area/client mapping for
internal/client/**
* client: add Accept headers to Exists() HEAD
* feat(registry): Make graceful shutdown test robust
* fix(registry): Correct log formatting for upstream challenge
* build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
* build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
* refactor: remove redundant variable declarations in for loops
* "should" -> "must" regarding redis eviction policy
* build(deps): bump actions/checkout from 5 to 6
* Incorrect warning hint
* Add return error when list object
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump peter-evans/dockerhub-description from 4 to
5
* fix: Logging regression for manifest HEAD requests
* Add boolean parsing util
* Expose `useFIPSEndpoint` for S3
* Add Cloudfleet Container Registry to adopters
* fix(ci): Fix broken Azure e2e storage tests
* BUG: Fix notification filtering to work with actions when
mediatypes is empty
* build(deps): bump actions/checkout from 6.0.0 to 6.0.1
* build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
* build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
* build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
* build(deps): bump actions/checkout from 6.0.1 to 6.0.2
* update golangci-lint to v2.9 and fix linting issues
* update to go1.25.7, alpine 3.23, xx v1.9.0
* vendor: github.com/sirupsen/logrus v1.9.4
* vendor: update golang.org/x/* dependencies
* vendor: github.com/docker/docker-credential-helpers v0.9.5
* vendor: github.com/opencontainers/image-spec v1.1.1
* vendor: github.com/klauspost/compress v1.18.4
* fix: prefer otel variables over hard coded service name
* vendor: github.com/spf13/cobra v1.10.2
* vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
* fix: sync parent dir to ensure data is reliably stored
* modernize code
* vendor: github.com/docker/go-events 605354379745
* vendor: github.com/go-jose/go-jose/v4 v4.1.3
* build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
* build(deps): bump docker/login-action from 3 to 4
* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
* build(deps): bump docker/setup-buildx-action from 3 to 4
* build(deps): bump docker/bake-action from 6 to 7
* build(deps): bump docker/metadata-action from 5 to 6
* fix: nil-check scheduler in `proxyingRegistry.Close()`
* fix: set MD5 on GCS writer before first `Write` call in
`putContent`
* docs: pull through cache will pull from remote multiple times
* Update s3.md regionendpoint option
* chore(deps): Bump Go to latest 1.25 in CI workflows and
go.mod
* fix: correct Ed25519 JWK thumbprint `kty` from `"OTP"` to
`"OKP"`
* Update vacuum.go
* Opt: refector tag list pagination support (stage 1)
* Correctly match environment variables to YAML-inlined structs
in configuration
* Enable Redis TLS without client certificates
* build(deps): bump actions/deploy-pages from 4 to 5
* build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
* fix(registry/proxy): use detached context when flushing write
buffer
* ci: pin actions and apply zizmor auto-fixes
* build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to
4.1.4 in the go_modules group across 1 directory
* chore(app): warn when partial TLS config is used in Redis
* feat(registry): enhance authentication checks in htpasswd
implementation
* Opt: refactor tag list pagination support
* build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
* build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
* fix(vendor): fix broke vendor validation
* chore(ci): Prep for v3.1 release
- Update to version 3.1.0:
* fix(vendor): fix broke vendpor validation
* fix redis repo-scoped blob descriptor revocation
* proxy: bind bearer realms to upstream trust boundary
- restore directory ownership after last change
- Move config files in systemd tmpfiles dir for immutable mode
Patchnames: SUSE-SLES-16.0-703
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
21 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/s… | self |
| https://www.suse.com/support/update/announcement/… | self |
| https://lists.suse.com/pipermail/sle-updates/2026… | self |
| https://bugzilla.suse.com/1259718 | self |
| https://bugzilla.suse.com/1260283 | self |
| https://bugzilla.suse.com/1261793 | self |
| https://bugzilla.suse.com/1262096 | self |
| https://bugzilla.suse.com/1262951 | self |
| https://www.suse.com/security/cve/CVE-2026-33186/ | self |
| https://www.suse.com/security/cve/CVE-2026-33540/ | self |
| https://www.suse.com/security/cve/CVE-2026-34986/ | self |
| https://www.suse.com/security/cve/CVE-2026-35172/ | self |
| https://www.suse.com/security/cve/CVE-2026-33186 | external |
| https://bugzilla.suse.com/1260085 | external |
| https://www.suse.com/security/cve/CVE-2026-33540 | external |
| https://bugzilla.suse.com/1261793 | external |
| https://www.suse.com/security/cve/CVE-2026-34986 | external |
| https://bugzilla.suse.com/1262805 | external |
| https://www.suse.com/security/cve/CVE-2026-35172 | external |
| https://bugzilla.suse.com/1262096 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for distribution",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for distribution fixes the following issues\n\nSecurity issues:\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260283).\n- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of\n service (bsc#1262951).\n- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).\n\nNon security issues:\n\n- add distribution-registry.tmpfiles (jsc#PED-14747).\n- distribution builds against go1.24 EOL (bsc#1259718).\n\nChanges for distribution:\n\n- update to 3.1.0\n\n * Adds support for tag pagination\n * Fixes default credentials in Azure storage provider\n * Drops support for go1.23 and go1.24 and updates to go1.25\n * See the full changelog below for the full list of changes.\n * docs: Update to refer to new image tag v3\n * Fix default_credentials in azure storage provider\n * chore: make function comment match function name\n * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in\n the go_modules group across 1 directory\n * fix: implement JWK thumbprint for Ed25519 public keys\n * fix: Annotate code block from validation.indexes\n configuration docs\n * feat: extract redis config to separate struct\n * Fix: resolve issue #4478 by using a temporary file for non-\n append writes\n * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2\n * docs: Add note about `OTEL_TRACES_EXPORTER`\n * fix: set OTEL traces to disabled by default\n * Fix markdown syntax for OTEL traces link in docs\n * Switch UUIDs to UUIDv7\n * refactor: replace map iteration with maps.Copy/Clone\n * s3-aws: fix build for 386\n * docs: Add OpenTelemetry links to quickstart docs\n * Fix S3 driver loglevel param\n * Fixed data race in TestSchedule test\n * Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of\n ecdsa keys\n * build(deps): bump actions/checkout from 4 to 5\n * Fix broken link to Docker Hub fair use policy\n * fix(registry/handlers/app): redis CAs\n * build(deps): bump actions/labeler from 5 to 6\n * build(deps): bump actions/setup-go from 5 to 6\n * build(deps): bump actions/upload-pages-artifact from 3 to 4\n * build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3\n * build(deps): bump github/codeql-action from 3.26.5 to 4.30.7\n * build(deps): bump github/codeql-action from 4.30.7 to 4.30.8\n * chore: labeler: add area/client mapping for\n internal/client/**\n * client: add Accept headers to Exists() HEAD\n * feat(registry): Make graceful shutdown test robust\n * fix(registry): Correct log formatting for upstream challenge\n * build(deps): bump github/codeql-action from 4.30.8 to 4.30.9\n * build(deps): bump github/codeql-action from 4.30.9 to 4.31.3\n * refactor: remove redundant variable declarations in for loops\n * \"should\" -\u003e \"must\" regarding redis eviction policy\n * build(deps): bump actions/checkout from 5 to 6\n * Incorrect warning hint\n * Add return error when list object\n * build(deps): bump actions/checkout from 5.0.1 to 6.0.0\n * build(deps): bump peter-evans/dockerhub-description from 4 to\n 5\n * fix: Logging regression for manifest HEAD requests\n * Add boolean parsing util\n * Expose `useFIPSEndpoint` for S3\n * Add Cloudfleet Container Registry to adopters\n * fix(ci): Fix broken Azure e2e storage tests\n * BUG: Fix notification filtering to work with actions when\n mediatypes is empty\n * build(deps): bump actions/checkout from 6.0.0 to 6.0.1\n * build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0\n * build(deps): bump github/codeql-action from 4.31.3 to 4.31.10\n * build(deps): bump github/codeql-action from 4.31.10 to 4.32.2\n * build(deps): bump actions/checkout from 6.0.1 to 6.0.2\n * update golangci-lint to v2.9 and fix linting issues\n * update to go1.25.7, alpine 3.23, xx v1.9.0\n * vendor: github.com/sirupsen/logrus v1.9.4\n * vendor: update golang.org/x/* dependencies\n * vendor: github.com/docker/docker-credential-helpers v0.9.5\n * vendor: github.com/opencontainers/image-spec v1.1.1\n * vendor: github.com/klauspost/compress v1.18.4\n * fix: prefer otel variables over hard coded service name\n * vendor: github.com/spf13/cobra v1.10.2\n * vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0\n * fix: sync parent dir to ensure data is reliably stored\n * modernize code\n * vendor: github.com/docker/go-events 605354379745\n * vendor: github.com/go-jose/go-jose/v4 v4.1.3\n * build(deps): bump github/codeql-action from 4.32.2 to 4.32.5\n * build(deps): bump docker/login-action from 3 to 4\n * build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0\n * build(deps): bump docker/setup-buildx-action from 3 to 4\n * build(deps): bump docker/bake-action from 6 to 7\n * build(deps): bump docker/metadata-action from 5 to 6\n * fix: nil-check scheduler in `proxyingRegistry.Close()`\n * fix: set MD5 on GCS writer before first `Write` call in\n `putContent`\n * docs: pull through cache will pull from remote multiple times\n * Update s3.md regionendpoint option\n * chore(deps): Bump Go to latest 1.25 in CI workflows and\n go.mod\n * fix: correct Ed25519 JWK thumbprint `kty` from `\"OTP\"` to\n `\"OKP\"`\n * Update vacuum.go\n * Opt: refector tag list pagination support (stage 1)\n * Correctly match environment variables to YAML-inlined structs\n in configuration\n * Enable Redis TLS without client certificates\n * build(deps): bump actions/deploy-pages from 4 to 5\n * build(deps): bump github/codeql-action from 4.32.5 to 4.34.1\n * fix(registry/proxy): use detached context when flushing write\n buffer\n * ci: pin actions and apply zizmor auto-fixes\n * build(deps): bump actions/setup-go from 6.3.0 to 6.4.0\n * build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to\n 4.1.4 in the go_modules group across 1 directory\n * chore(app): warn when partial TLS config is used in Redis\n * feat(registry): enhance authentication checks in htpasswd\n implementation\n * Opt: refactor tag list pagination support\n * build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0\n * build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0\n * fix(vendor): fix broke vendor validation\n * chore(ci): Prep for v3.1 release\n- Update to version 3.1.0:\n * fix(vendor): fix broke vendpor validation\n * fix redis repo-scoped blob descriptor revocation\n * proxy: bind bearer realms to upstream trust boundary\n- restore directory ownership after last change\n- Move config files in systemd tmpfiles dir for immutable mode\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-703",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21560-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21560-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621560-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21560-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046338.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259718",
"url": "https://bugzilla.suse.com/1259718"
},
{
"category": "self",
"summary": "SUSE Bug 1260283",
"url": "https://bugzilla.suse.com/1260283"
},
{
"category": "self",
"summary": "SUSE Bug 1261793",
"url": "https://bugzilla.suse.com/1261793"
},
{
"category": "self",
"summary": "SUSE Bug 1262096",
"url": "https://bugzilla.suse.com/1262096"
},
{
"category": "self",
"summary": "SUSE Bug 1262951",
"url": "https://bugzilla.suse.com/1262951"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35172 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35172/"
}
],
"title": "Security update for distribution",
"tracking": {
"current_release_date": "2026-05-06T00:44:14Z",
"generator": {
"date": "2026-05-06T00:44:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21560-1",
"initial_release_date": "2026-05-06T00:44:14Z",
"revision_history": [
{
"date": "2026-05-06T00:44:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product_id": "distribution-registry-3.1.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product_id": "distribution-registry-3.1.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product_id": "distribution-registry-3.1.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product_id": "distribution-registry-3.1.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33540"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33540",
"url": "https://www.suse.com/security/cve/CVE-2026-33540"
},
{
"category": "external",
"summary": "SUSE Bug 1261793 for CVE-2026-33540",
"url": "https://bugzilla.suse.com/1261793"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "moderate"
}
],
"title": "CVE-2026-33540"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-35172",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35172"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35172",
"url": "https://www.suse.com/security/cve/CVE-2026-35172"
},
{
"category": "external",
"summary": "SUSE Bug 1262096 for CVE-2026-35172",
"url": "https://bugzilla.suse.com/1262096"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-35172"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…