SB2026040898 - Multiple vulnerabilities in distribution

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-35172)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the repository-scoped redis blob descriptor cache invalidation logic when handling blob delete and subsequent stat or get operations across repositories. A remote attacker can request the same digest from another repository that still references it to disclose sensitive information.

Only deployments with both redis blob descriptor caching and delete enabled are vulnerable.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33540)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in pull-through cache proxy authentication when processing a WWW-Authenticate bearer realm from an upstream registry. A remote attacker can cause distribution to send configured upstream credentials via basic authentication to an attacker-controlled realm URL to disclose sensitive information.

This issue is exploitable if the configured upstream registry is attacker-controlled or if an attacker can intercept and modify the upstream connection.

Remediation

Install update from vendor's website.

References

• https://github.com/distribution/distribution/security/advisories/GHSA-f2g3-hh2r-cwgc
• https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r
• https://github.com/advisories/GHSA-3p65-76g6-3w7r