{"id":"CVE-2026-41888","summary":"Distribution: Tag deletion bypasses `storage.delete.enabled` configuration","details":"Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/\u003cname\u003e/manifests/\u003ctag\u003e endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. This vulnerability is fixed in 3.1.1.","aliases":["GHSA-6pjf-3r9x-m592"],"modified":"2026-05-28T03:53:52.345489586Z","published":"2026-05-14T16:53:37.561Z","related":["CGA-j7rr-974q-x453","SUSE-SU-2026:2049-1","openSUSE-SU-2026:10812-1","openSUSE-SU-2026:10814-1","openSUSE-SU-2026:10824-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-863"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41888.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41888.json"},{"type":"ADVISORY","url":"https://github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41888"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/distribution/distribution","events":[{"introduced":"0"},{"fixed":"9a8d98b679740cd514aa7e7d84d23d442a5ef54c"}]}],"versions":["v3.1.0","v3.0.0","v3.0.0-rc.4","v3.0.0-rc.3","v3.0.0-rc.2","v3.0.0-rc.1","v3.0.0-beta.1","v3.0.0-alpha.1","v2.7.0","v2.7.0-rc.0","v2.6.0-rc.1","docs-v2.4.1-2016-06-28","v2.5.0-rc.1","v2.4.0-rc.1","v2.3.0-rc.2","v2.3.0-rc.0","v2.3.0-rc.1","v2.3.0-alpha","v2.2.1","v2.2.0","v2.1.1","v2.1.0","v2.1.0-rc.0","v2.0.0","v2.0.0-rc.4","v2.0.0-rc.3","v2.0.0-rc.2","v2.0.0-rc.1","v2.0.0-rc.0","v2.0.0-alpha.3","v2.0.0-alpha.2","v2.0.0-alpha.1","v2.0.0-alpha.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41888.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"}]}