Skip to main content

Red Hat CVE-2026-33540

| EUVDEUVD-2026-19289 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-06 security-advisories@github.com GHSA-3p65-76g6-3w7r
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
3.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 06, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 06, 2026 - 15:22 euvd
EUVD-2026-19289
Analysis Generated
Apr 06, 2026 - 15:22 vuln.today
CVE Published
Apr 06, 2026 - 15:17 nvd
HIGH 7.5

DescriptionGitHub Advisory

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.

AnalysisAI

Server-Side Request Forgery (SSRF) in distribution container toolkit versions before 3.1.0 enables credential theft via malicious upstream registry responses. When operating in pull-through cache mode, distribution parses WWW-Authenticate bearer challenges from upstream registries without validating the realm URL against the configured upstream host. Attackers controlling the upstream registry or positioned for man-in-the-middle attacks can specify arbitrary realm URLs, causing distribution to transmit configured upstream credentials via basic authentication to attacker-controlled endpoints (CVSS 7.5, High confidentiality impact). EPSS data and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only network access with low complexity (AV:N/AC:L) and no authentication (PR:N).

Technical ContextAI

The distribution project (formerly Docker Registry) is a reference implementation for storing and distributing container images via OCI/Docker registry protocols. In pull-through cache deployments, distribution acts as a transparent proxy that retrieves and caches images from upstream registries. The vulnerability stems from improper URL validation during OAuth 2.0 bearer token authentication flows (RFC 6750). When parsing WWW-Authenticate headers containing bearer challenges (e.g., 'Bearer realm="https://auth.example.com/token"'), distribution extracts the realm URL to obtain access tokens but fails to verify this URL belongs to the trusted upstream registry domain. This CWE-918 Server-Side Request Forgery flaw allows attacker-supplied realm URLs to be trusted, causing the application to initiate outbound HTTP requests with sensitive credentials to arbitrary destinations. The vulnerability specifically affects the authentication middleware that handles token discovery and credential passing in pull-through cache configurations where upstream authentication is required.

RemediationAI

Upgrade distribution to version 3.1.0 or later, which implements proper validation of bearer challenge realm URLs to ensure they match the configured upstream registry domain before transmitting credentials. Organizations unable to immediately upgrade should disable pull-through cache functionality or remove upstream authentication credentials from distribution configuration, instead using unauthenticated public registries or implementing network-layer controls to prevent distribution from reaching attacker-controlled destinations. Deploy egress filtering to restrict distribution servers to communicate only with known-legitimate registry domains. Review authentication logs for the period prior to patching to identify potential unauthorized realm URL requests that may indicate exploitation attempts or successful credential theft. Rotate any upstream registry credentials that were configured in vulnerable distribution deployments. Consult the GitHub Security Advisory at https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r for additional vendor guidance and validation procedures.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Containers 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-33540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy