Platform
go
Component
github.com/distribution/distribution/v3
Fixed in
3.1.1
3.1.0
CVE-2026-33540 describes a token authentication bypass vulnerability in Docker Distribution v3. When operating in pull-through cache mode, the distribution component incorrectly validates URLs from upstream registries. This flaw allows a malicious upstream registry, or an attacker performing a man-in-the-middle attack, to induce the distribution system to transmit authentication tokens to unintended destinations. The vulnerability affects versions prior to 3.1.0 and has been addressed with a patch.
An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive data or systems. By controlling an upstream registry, an attacker can craft a malicious WWW-Authenticate challenge that directs Docker Distribution to send authentication tokens to a server under their control. This could lead to credential theft, allowing the attacker to impersonate legitimate users and access private repositories or other resources within the Docker environment. The blast radius extends to any system relying on Docker Distribution's pull-through cache functionality, potentially impacting multiple services and applications.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation in the wild, but the availability of a detailed description and the potential for relatively straightforward exploitation suggest a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (PoC) code has been released at the time of writing.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33540 is to upgrade Docker Distribution to version 3.1.0 or later, which includes the necessary validation checks. If an immediate upgrade is not feasible, consider disabling pull-through cache mode as a temporary workaround. Additionally, implement strict network policies and intrusion detection systems to monitor for suspicious traffic patterns, particularly those involving authentication tokens being sent to unexpected destinations. Monitor Docker logs for unusual authentication attempts or errors related to upstream registry connections. After upgrade, confirm by verifying the realm URL validation is functioning correctly by attempting to pull an image from a known, trusted upstream registry.
Update to version 3.1.0 or higher to prevent credential exposure. This version fixes the vulnerability by validating that the realm URL matches the upstream registry host.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33540 is a HIGH severity vulnerability in Docker Distribution v3 that allows an attacker-controlled upstream registry to trick the system into sending credentials due to improper URL validation.
You are affected if you are using Docker Distribution versions prior to 3.1.0 and have pull-through cache mode enabled.
Upgrade Docker Distribution to version 3.1.0 or later. As a temporary workaround, disable pull-through cache mode.
There is currently no indication of active exploitation, but the vulnerability's nature suggests a potential risk.
Refer to the GitHub Security Advisory: https://github.com/distribution/distribution/security/advisories/new
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.