Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-33540EXPLOITEDPATCHED

red hat · distribution

Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.

Affected Products

Vendor	Product	Versions
red hat	distribution	go/github.com/distribution/distribution/v3: < 3.1.0, go/github.com/distribution/distribution: <= 2.8.3

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
go	github.com/distribution/distribution	GHSA	85%

References

https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-33540 | Distribution up to 3.0.x server-side request forgery (GHSA-3p65-76g6-3w7r)

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

github.com/distribution/distribution/v3@3.1.0

CWECWE-918

PublishedApr 6, 2026

Last enriched2h agov2

Trending Score64

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-4634EXP

Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters

CRITICALCVE-2026-5704

Tar: tar: hidden file injection via crafted archives

HIGHCVE-2026-3872EXP

Keycloak: keycloak: information disclosure due to redirect_uri validation bypass

HIGHCVE-2026-4282EXP

Keycloak: keycloak: privilege escalation via forged authorization codes due to singleuseobjectprovider isolation flaw

HIGHCVE-2026-4636EXP

Keycloak: keycloak: uma policy bypass allows authenticated users to gain unauthorized access to victim-owned resources.

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 6, 2026

Discovered by ZDM

Apr 6, 2026

Actively Exploited

Apr 6, 2026

Patch Available

Apr 6, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 6, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated affected versions to < 3.0.0, changed severity to CRITICAL, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v14h ago

Initial creation