Skip to main content

Red Hat Quay CVE-2026-10052

| EUVDEUVD-2026-33260 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-29 redhat GHSA-h9q8-x6vm-q57f
4.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Red Hat
4.1 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 09:16 vuln.today

DescriptionCVE.org

A flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. This allows the attacker to perform internal network reconnaissance from the Quay pod's network position, potentially mapping the internal network infrastructure.

AnalysisAI

Server-Side Request Forgery (SSRF) in Red Hat Quay 3's config-tool allows a highly privileged attacker with config editor access to probe internal network infrastructure from the Quay pod's network position. By supplying attacker-controlled endpoints to the LDAP and SMTP validation functions - which make outbound connections without IP or hostname filtering - the attacker can enumerate internal services and map network topology behind the container boundary. The scope change (S:C) in the CVSS vector confirms that exploitation reaches systems beyond the Quay component itself. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-918 (Server-Side Request Forgery) describes the root cause: the application fetches a remote resource based on user-supplied input without validating or sanitizing the destination. In this case, Red Hat Quay 3's config-tool - a web-based configuration interface - exposes LDAP and SMTP connectivity test functions that accept user-defined host/endpoint parameters and initiate outbound TCP connections to validate those settings. Because no IP block list, hostname allowlist, or RFC-1918 filtering is applied, these functions can be redirected to internal network addresses or metadata services accessible from the Quay pod's network namespace. The affected product is identified by CPE cpe:2.3:a:red_hat:red_hat_quay_3:*:*:*:*:*:*:*:*, covering the Red Hat Quay 3 product line.

RemediationAI

No patched version number is confirmed in the available intelligence data; the CPE uses a wildcard version and no fixed release is cited in the provided references. Monitor https://access.redhat.com/security/cve/CVE-2026-10052 for a vendor-issued patch and apply it immediately upon availability. As a compensating control pending a patch, restrict config editor access in Red Hat Quay to the minimum set of trusted administrators, as PR:H means only config editors can trigger this flaw - reducing that population directly reduces exposure. Additionally, apply network egress controls at the Quay pod level (via Kubernetes NetworkPolicy or firewall rules) to prevent outbound connections from Quay pods to RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and instance metadata endpoints; this trade-off may break legitimate LDAP/SMTP connectivity tests to internal servers, which should be evaluated in context. Review Quay pod network permissions and apply least-privilege network policies.

Vendor StatusVendor

Share

CVE-2026-10052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy