SB2026050501 - Fedora 45 update for docker-distribution

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050501

SB2026050501 - Fedora 45 update for docker-distribution

Published: May 5, 2026

Security Bulletin ID SB2026050501
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2026-41888)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to improper access control in the DELETE /v2//manifests/ endpoint when handling tag deletion requests. A remote API client can send a crafted DELETE request for a tag reference to remove tags from repositories even when the operator has explicitly disabled deletion.


2) Improper access control (CVE-ID: CVE-2026-35172)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the repository-scoped redis blob descriptor cache invalidation logic when handling blob delete and subsequent stat or get operations across repositories. A remote attacker can request the same digest from another repository that still references it to disclose sensitive information.

Only deployments with both redis blob descriptor caching and delete enabled are vulnerable.


3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33540)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in pull-through cache proxy authentication when processing a WWW-Authenticate bearer realm from an upstream registry. A remote attacker can cause distribution to send configured upstream credentials via basic authentication to an attacker-controlled realm URL to disclose sensitive information.

This issue is exploitable if the configured upstream registry is attacker-controlled or if an attacker can intercept and modify the upstream connection.


4) Improper input validation (CVE-ID: CVE-2026-34986)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in JWE decryption in key_wrap.go when processing a JWE object with a key wrapping algorithm and an empty encrypted_key field. A remote attacker can send a specially crafted JWE object to cause a denial of service.

The issue is reachable through ParseEncrypted(), ParseEncryptedJSON(), or ParseEncryptedCompact() followed by Decrypt(), and applications are affected only if accepted key algorithms include key wrapping algorithms.


Remediation

Install update from vendor's website.

References