{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33540", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.831Z", "datePublished": "2026-04-06T14:55:04.812Z", "dateUpdated": "2026-04-06T15:04:50.154Z"}, "containers": {"cna": {"title": "Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"}], "affected": [{"vendor": "distribution", "product": "distribution", "versions": [{"version": "< 3.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:55:04.812Z"}, "descriptions": [{"lang": "en", "value": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0."}], "source": {"advisory": "GHSA-3p65-76g6-3w7r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:04:46.763761Z", "id": "CVE-2026-33540", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:04:50.154Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33540", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:04:46.763761Z"}}}], "references": [{"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:04:39.539Z"}}], "cna": {"title": "Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm", "source": {"advisory": "GHSA-3p65-76g6-3w7r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "distribution", "product": "distribution", "versions": [{"status": "affected", "version": "< 3.1.0"}]}], "references": [{"url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r", "name": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:55:04.812Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33540", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:04:50.154Z", "dateReserved": "2026-03-20T18:05:11.831Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T14:55:04.812Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0."}], "id": "CVE-2026-33540", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:10.950", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/distribution/distribution: Distribution: Information disclosure via improper validation of authentication realm URL", "id": "2455430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455430"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in Distribution, a toolkit for managing container content. When operating in pull-through cache mode, Distribution incorrectly processes authentication challenges from an upstream registry. An attacker controlling the upstream registry, or positioned as a Man-in-the-Middle (MitM), can exploit this by providing a malicious authentication realm URL. This vulnerability can cause Distribution to send sensitive upstream credentials, via basic authentication, to an attacker-controlled server, leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that all upstream registries configured for Distribution in pull-through cache mode are trusted and secured. Implement network segmentation and firewall rules to restrict outbound connections from the Distribution instance to only known and trusted upstream registry endpoints. This reduces the risk of an attacker-controlled upstream or a Man-in-the-Middle attack redirecting authentication."}, "name": "CVE-2026-33540", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift3/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-framework-tools-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-lifecycle-manager-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-operator-registry", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-06T14:55:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33540\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33540\nhttps://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r"], "threat_severity": "Moderate"}