CVE-2026-33540 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-33540/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 15:17:10 +0000Distribution Toolkit Authentication Redirection Vulnerability (CVE-2026-33540)https://feed.craftedsignal.io/briefs/2026-04-distribution-auth-redirect/Mon, 06 Apr 2026 15:17:10 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-distribution-auth-redirect/A vulnerability in the distribution toolkit prior to 3.1.0 allows a malicious upstream registry or man-in-the-middle attacker to redirect authentication requests, potentially exposing upstream credentials.The distribution toolkit, used for managing container content, is vulnerable to an authentication redirection attack in versions prior to 3.1.0 when operating in pull-through cache mode. The vulnerability, identified as CVE-2026-33540, stems from the toolkit’s method of discovering token authentication endpoints. It parses WWW-Authenticate challenges from upstream registries without properly validating the realm URL against the upstream registry host. This allows an attacker controlling the upstream registry or positioned as a Man-in-the-Middle to redirect authentication requests to an attacker-controlled realm URL. This results in distribution sending the configured upstream credentials via basic authentication to the malicious URL. Organizations using affected versions of the distribution toolkit are vulnerable to credential compromise if the toolkit interacts with a malicious or compromised upstream registry. Upgrading to version 3.1.0 or later resolves this vulnerability.

Attack Chain

  1. Attacker gains control of or MitM position to an upstream registry server used by the distribution toolkit.
  2. Distribution toolkit attempts to pull an image from the upstream registry.
  3. Attacker’s registry responds with a WWW-Authenticate header, specifying a Bearer authentication scheme and an attacker-controlled realm URL.
  4. The distribution toolkit, vulnerable to CVE-2026-33540, parses the WWW-Authenticate header but fails to validate the realm URL against the legitimate upstream registry.
  5. The distribution toolkit initiates a basic authentication request to the attacker-controlled realm URL, sending the configured upstream credentials (username and password).
  6. The attacker captures the credentials sent via basic authentication.
  7. Attacker uses the compromised credentials to gain unauthorized access to the legitimate upstream registry.

Impact

Successful exploitation of CVE-2026-33540 allows an attacker to steal credentials used by the distribution toolkit to authenticate to an upstream registry. This can lead to unauthorized access to container images stored in the upstream registry, potentially resulting in supply chain attacks, data breaches, or the deployment of malicious container images. The severity of the impact depends on the permissions associated with the compromised credentials and the sensitivity of the data stored in the upstream registry.

Recommendation

  • Upgrade the distribution toolkit to version 3.1.0 or later to remediate CVE-2026-33540.
  • Implement network monitoring to detect basic authentication attempts originating from the distribution toolkit to unusual or unexpected destinations (see rule: “Detect Basic Authentication to Non-Standard Ports”).
  • Monitor network traffic for connections to unusual or suspicious realm URLs returned in WWW-Authenticate headers from container registries (see rule: “Detect Authentication Redirection”).
]]>highadvisoryCVE-2026-33540authenticationredirectioncontainer