CVE-2026-33540
Credential Exposure via Improper Auth Validation in Distribution Toolkit
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| distribution_project | distribution | to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33540 is a high-severity vulnerability in the Go module "distribution" (versions up to 3.0.0) that affects its pull-through cache authentication mechanism.
The vulnerability occurs because the system discovers token authentication endpoints by parsing the WWW-Authenticate bearer challenges returned by the configured upstream registry, extracting the bearer realm URL without validating that it matches the upstream registry host.
This lack of validation allows an attacker-controlled upstream registry or a man-in-the-middle (MitM) attacker on the upstream connection to cause the distribution service to send configured upstream credentials via basic authentication to an attacker-controlled realm URL.
As a result, sensitive upstream credentials can be exfiltrated by the attacker.
The vulnerability is fixed in version 3.1.0 by enforcing strict validation that the token realm URL matches the trusted upstream host before sending credentials.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive upstream credentials used by the distribution pull-through cache.
If an attacker controls the upstream registry or can perform a man-in-the-middle attack on the upstream connection, they can trick the system into sending these credentials to an attacker-controlled server.
The impact includes credential exfiltration, which could allow attackers to gain unauthorized access to upstream registries or other services authenticated by those credentials.
If broader credentials such as cloud IAM credentials are used upstream, the downstream impact could be more severe, potentially leading to further compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for unexpected basic authentication credentials being sent to unknown or attacker-controlled realm URLs during pull-through cache operations in the distribution service.
Specifically, you can inspect HTTP headers, especially the WWW-Authenticate bearer challenges returned by the upstream registry, to verify if the realm URL matches the configured upstream registry host.
Commands to help detect this might include using network packet capture tools like tcpdump or Wireshark to filter for HTTP requests containing Authorization headers sent to unexpected hosts.
- tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'Authorization: Basic'
- Use curl or similar tools to manually inspect the WWW-Authenticate headers from the upstream registry: curl -v -I https://<upstream-registry>
Additionally, reviewing logs of the distribution service for authentication attempts to unexpected realm URLs can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the distribution service to version 3.1.0 or later, where the vulnerability is fixed by validating that the bearer realm URL matches the configured upstream registry host before sending credentials.
Until the upgrade can be performed, ensure that communication with the upstream registry is secured using encrypted transport (e.g., HTTPS) to reduce the risk of man-in-the-middle attacks.
Also, verify and restrict the configured upstream registries to trusted sources only, avoiding any potentially compromised or attacker-controlled registries.
Monitoring and alerting on unusual authentication traffic to unknown hosts can help detect exploitation attempts during the mitigation period.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33540 results in the disclosure of upstream credentials due to improper validation of bearer realm URLs, which can lead to credential exfiltration by attackers controlling or intercepting upstream registry communications.
Such credential disclosure can impact compliance with common standards and regulations like GDPR and HIPAA, as these frameworks require protection of sensitive authentication information and prevention of unauthorized access to systems.
If broader credentials, such as cloud IAM credentials, are used for upstream authentication, the downstream impact could be more severe, potentially leading to unauthorized access to sensitive data or systems, thereby increasing compliance risks.
Therefore, organizations using affected versions of the distribution toolkit may face challenges in maintaining compliance with data protection and security requirements until the vulnerability is remediated.