CVE-2026-35172

Technical details about CVE-2026-35172 are not publicly available in the provided connected documents. Monitor for updates regarding affected versions, remediation, and exploit information.

CVE-2026-35172 Distribution has stale blob access resurrection via repo-scoped redis descriptor cache invalidation

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

GHSA-F2G3-HH2R-CWGC Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation

summary: distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. the delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get...

EUVD-2026-19446

Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation...

GHSA-55R9-5MX9-QQ7R Cache driver GetBlob() allows read access to any blob without access control check

Summary Cache driver GetBlob allows read access to any blob without access control check Details If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled it is enabled by default, then an attacker who knows t...