Distribution's tag deletion bypasses `storage.delete.enabled` configuration — CVE-2026-41888
GHSA · GitHub · CVE-2026-41888
ID
CVE-2026-41888
CVE-2026-41888
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.3
6.3
Summary
### Summary Tag deletion via the `DELETE /v2/<name>/manifests/<tag>` endpoint bypasses the `storage.delete.enabled: false` configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. ### Details When `storage.delete.enabled` is configured to false, digest-based manifest deletion is correctly rejected by the guard in…
Product
go: github.com/distribution/distribution/v3 | go: github.com/distribution/distribution
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.