Plattform
go
Komponente
github.com/distribution/distribution/v3
Behoben in
3.1.1
3.1.0
CVE-2026-33540 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in GitHub Distribution Registry. This flaw allows an attacker to manipulate the registry's pull-through cache mechanism, potentially leading to unauthorized access to internal resources. The vulnerability affects versions prior to 3.1.0 and has been resolved with the release of version 3.1.0.
The SSRF vulnerability arises from the way GitHub Distribution Registry handles WWW-Authenticate challenges in pull-through cache mode. When configured to use an upstream registry, the registry parses these challenges to discover token authentication endpoints. The realm URL, which specifies the upstream registry host, is used without proper validation. An attacker controlling the upstream registry (or positioned in a man-in-the-middle position) can exploit this by providing a malicious realm URL. This malicious URL could point to an internal service or resource that the registry should not be able to access, effectively allowing the attacker to make requests on behalf of the registry. The potential impact includes exposure of sensitive data, unauthorized access to internal systems, and potentially even remote code execution if the internal service is vulnerable.
CVE-2026-33540 was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation in the wild, but the availability of a public description and the relatively simple nature of the exploit make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's mechanics are well-understood.
Organizations heavily reliant on Docker Distribution's pull-through cache functionality, particularly those with complex registry configurations or shared hosting environments, are at increased risk. Environments where upstream registries are not strictly controlled or monitored are also vulnerable.
• linux / server:
journalctl -u docker -g "upstream registry"• generic web:
curl -I <docker_registry_url> | grep 'WWW-Authenticate'disclosure
patch
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33540 is to upgrade to GitHub Distribution Registry version 3.1.0 or later, which includes the necessary validation to prevent the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests from the registry, specifically blocking requests to unexpected or unauthorized hosts. Additionally, review the configuration of your upstream registry to ensure it is not susceptible to manipulation. Monitor registry logs for unusual outbound requests that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious realm URL and verifying that the request is blocked.
Aktualisieren Sie auf Version 3.1.0 oder höher, um die Offenlegung von Anmeldeinformationen zu verhindern. Diese Version behebt die Schwachstelle, indem sichergestellt wird, dass die Realm-URL mit dem Host des Upstream-Eintrags übereinstimmt (matches).
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33540 is a HIGH severity vulnerability in Docker Distribution v3 that allows an attacker-controlled upstream registry to trick the system into sending credentials due to improper URL validation.
You are affected if you are using Docker Distribution versions prior to 3.1.0 and have pull-through cache mode enabled.
Upgrade Docker Distribution to version 3.1.0 or later. As a temporary workaround, disable pull-through cache mode.
There is currently no indication of active exploitation, but the vulnerability's nature suggests a potential risk.
Refer to the GitHub Security Advisory: https://github.com/distribution/distribution/security/advisories/new
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.