The vulnerability allows a client that can reach the Docker Distribution API to delete any tag from any repository by invoking DELETE /v2/<name>/manifests/<tag>. The bug bypasses the storage.delete.enabled configuration flag, so even when this setting is set to false the API will remove tags. The flaw is a classic missing authorization error (CWE-863) that provides an attacker the ability to modify the contents of a registry without proper permission checks.

This issue affects the distribution:distribution repository, specifically all releases older than version 3.1.1. The fix was introduced in 3.1.1, restoring the proper enforcement of the storage.delete.enabled setting. No specific version ranges are provided beyond the statement that releases prior to 3.1.1 are vulnerable.

With a CVSS score of 6.3 the vulnerability is assessed at medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a direct API call to the DELETE endpoint; authentication requirements are not explicitly described but the description indicates any API client can perform the operation, suggesting the flaw may be exploitable without special credentials. Because of the lack of an exploitation probability score, an effective mitigation strategy is to update quickly.