CVE-2026-33540 HIGH

CVE-2026-33540: Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

Vendor Distribution
Product distribution
Weakness CWE-918 · SSRF
Published April 6, 2026
Last update April 6, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-46698 Fediverse Embeds: Public-nonce SSRF via ftf_get_site_info AJAX action CVE-2024-3095 SSRF in Langchain Web Research Retriever in langchain-ai/langchain CVE-2025-32675 WordPress SEO Help plugin <= 6.7.9 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-25494 Craft has a SSRF in GraphQL Asset Mutation via Alternative IP Notation CVE-2022-45362 WordPress Paytm Payment Gateway Plugin <= 2.7.0 is vulnerable to Server Side Request Forgery (SSRF)