CVE-2026-41888

Name of the Vulnerable Software and Affected Versions Distribution versions prior to 3.1.1

Description An authorization bypass exists where tag deletion via the "/v2//manifests/" endpoint ignores the storage.delete.enabled: false configuration. This allows any API client to remove tags from repositories even when the operator has explicitly disabled deletion. The issue occurs because the DeleteManifest() function detects a tag reference and calls tagStore.Untag(), which interacts with the storage driver directly without verifying if deletes are enabled.

Recommendations Update to version 3.1.1.