CVE-2026-41888
Distribution: Tag deletion bypasses `storage.delete.enabled` configuration
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.
| CWE | CWE-863 |
| Vendor | distribution |
| Product | distribution |
| Published | May 14, 2026 |
| Last Updated | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for distribution distribution
Be the first to know when new unknown vulnerabilities affecting distribution distribution are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
distribution / distribution
< 3.1.1