{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33540/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33540"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-33540","authentication","redirection","container"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe distribution toolkit, used for managing container content, is vulnerable to an authentication redirection attack in versions prior to 3.1.0 when operating in pull-through cache mode. The vulnerability, identified as CVE-2026-33540, stems from the toolkit\u0026rsquo;s method of discovering token authentication endpoints. It parses WWW-Authenticate challenges from upstream registries without properly validating the realm URL against the upstream registry host. This allows an attacker controlling the upstream registry or positioned as a Man-in-the-Middle to redirect authentication requests to an attacker-controlled realm URL. This results in distribution sending the configured upstream credentials via basic authentication to the malicious URL. Organizations using affected versions of the distribution toolkit are vulnerable to credential compromise if the toolkit interacts with a malicious or compromised upstream registry. Upgrading to version 3.1.0 or later resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains control of or MitM position to an upstream registry server used by the distribution toolkit.\u003c/li\u003e\n\u003cli\u003eDistribution toolkit attempts to pull an image from the upstream registry.\u003c/li\u003e\n\u003cli\u003eAttacker\u0026rsquo;s registry responds with a WWW-Authenticate header, specifying a Bearer authentication scheme and an attacker-controlled realm URL.\u003c/li\u003e\n\u003cli\u003eThe distribution toolkit, vulnerable to CVE-2026-33540, parses the WWW-Authenticate header but fails to validate the realm URL against the legitimate upstream registry.\u003c/li\u003e\n\u003cli\u003eThe distribution toolkit initiates a basic authentication request to the attacker-controlled realm URL, sending the configured upstream credentials (username and password).\u003c/li\u003e\n\u003cli\u003eThe attacker captures the credentials sent via basic authentication.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised credentials to gain unauthorized access to the legitimate upstream registry.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33540 allows an attacker to steal credentials used by the distribution toolkit to authenticate to an upstream registry. This can lead to unauthorized access to container images stored in the upstream registry, potentially resulting in supply chain attacks, data breaches, or the deployment of malicious container images. The severity of the impact depends on the permissions associated with the compromised credentials and the sensitivity of the data stored in the upstream registry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the distribution toolkit to version 3.1.0 or later to remediate CVE-2026-33540.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect basic authentication attempts originating from the distribution toolkit to unusual or unexpected destinations (see rule: \u0026ldquo;Detect Basic Authentication to Non-Standard Ports\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or suspicious realm URLs returned in WWW-Authenticate headers from container registries (see rule: \u0026ldquo;Detect Authentication Redirection\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:10Z","date_published":"2026-04-06T15:17:10Z","id":"/briefs/2026-04-distribution-auth-redirect/","summary":"A vulnerability in the distribution toolkit prior to 3.1.0 allows a malicious upstream registry or man-in-the-middle attacker to redirect authentication requests, potentially exposing upstream credentials.","title":"Distribution Toolkit Authentication Redirection Vulnerability (CVE-2026-33540)","url":"https://feed.craftedsignal.io/briefs/2026-04-distribution-auth-redirect/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-33540","version":"https://jsonfeed.org/version/1.1"}