Tag Deletion Bypass in Container Distribution Toolkit by Docker
CVE-2026-41888

6.3MEDIUM

Key Information:

Vendor: Distribution
Status: Distribution
Vendor: CVE Published:; 14 May 2026

🔔 Create Distribution Vulnerability Alert

What is CVE-2026-41888?

The Docker Distribution toolkit, essential for managing container content, suffered from a vulnerability that enabled API clients to delete tags via the DELETE /v2//manifests/ endpoint. This functionality bypassed the explicitly set configuration that prevented tag deletion, thus compromising the integrity of repository management. The issue was addressed in version 3.1.1, emphasizing the need for users to upgrade to safeguard their container environments.

Affected Version(s)

distribution < 3.1.1

References

https://github.com/distribution/distribution/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41888 Data

JSON