CVE-2026-33540
Received Received - Intake
Credential Exposure via Improper Auth Validation in Distribution Toolkit

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33540
EUVD
EUVD-2026-19289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
distribution_project distribution to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-33540 results in the disclosure of upstream credentials due to improper validation of bearer realm URLs, which can lead to credential exfiltration by attackers controlling or intercepting upstream registry communications.

Such credential disclosure can impact compliance with common standards and regulations like GDPR and HIPAA, as these frameworks require protection of sensitive authentication information and prevention of unauthorized access to systems.

If broader credentials, such as cloud IAM credentials, are used for upstream authentication, the downstream impact could be more severe, potentially leading to unauthorized access to sensitive data or systems, thereby increasing compliance risks.

Therefore, organizations using affected versions of the distribution toolkit may face challenges in maintaining compliance with data protection and security requirements until the vulnerability is remediated.

Executive Summary

CVE-2026-33540 is a high-severity vulnerability in the Go module "distribution" (versions up to 3.0.0) that affects its pull-through cache authentication mechanism.

The vulnerability occurs because the system discovers token authentication endpoints by parsing the WWW-Authenticate bearer challenges returned by the configured upstream registry, extracting the bearer realm URL without validating that it matches the upstream registry host.

This lack of validation allows an attacker-controlled upstream registry or a man-in-the-middle (MitM) attacker on the upstream connection to cause the distribution service to send configured upstream credentials via basic authentication to an attacker-controlled realm URL.

As a result, sensitive upstream credentials can be exfiltrated by the attacker.

The vulnerability is fixed in version 3.1.0 by enforcing strict validation that the token realm URL matches the trusted upstream host before sending credentials.

Impact Analysis

This vulnerability can lead to the disclosure of sensitive upstream credentials used by the distribution pull-through cache.

If an attacker controls the upstream registry or can perform a man-in-the-middle attack on the upstream connection, they can trick the system into sending these credentials to an attacker-controlled server.

The impact includes credential exfiltration, which could allow attackers to gain unauthorized access to upstream registries or other services authenticated by those credentials.

If broader credentials such as cloud IAM credentials are used upstream, the downstream impact could be more severe, potentially leading to further compromise.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unexpected basic authentication credentials being sent to unknown or attacker-controlled realm URLs during pull-through cache operations in the distribution service.

Specifically, you can inspect HTTP headers, especially the WWW-Authenticate bearer challenges returned by the upstream registry, to verify if the realm URL matches the configured upstream registry host.

Commands to help detect this might include using network packet capture tools like tcpdump or Wireshark to filter for HTTP requests containing Authorization headers sent to unexpected hosts.

  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'Authorization: Basic'
  • Use curl or similar tools to manually inspect the WWW-Authenticate headers from the upstream registry: curl -v -I https://<upstream-registry>

Additionally, reviewing logs of the distribution service for authentication attempts to unexpected realm URLs can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the distribution service to version 3.1.0 or later, where the vulnerability is fixed by validating that the bearer realm URL matches the configured upstream registry host before sending credentials.

Until the upgrade can be performed, ensure that communication with the upstream registry is secured using encrypted transport (e.g., HTTPS) to reduce the risk of man-in-the-middle attacks.

Also, verify and restrict the configured upstream registries to trusted sources only, avoiding any potentially compromised or attacker-controlled registries.

Monitoring and alerting on unusual authentication traffic to unknown hosts can help detect exploitation attempts during the mitigation period.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart