Skip to main content

Red Hat Quay CVE-2026-10078

| EUVDEUVD-2026-33272 LOW
Use of GET Request Method With Sensitive Query Strings (CWE-598)
2026-05-29 redhat GHSA-f2q6-8fx7-gjf8
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 11:01 vuln.today

DescriptionCVE.org

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.

AnalysisAI

Credential exposure in Red Hat Quay 3's config-tool GitLab OAuth validator allows OAuth client_id and client_secret to leak into system logs. The config-tool incorrectly appends these sensitive values as URL query parameters on POST requests to the GitLab endpoint, causing them to appear in server access logs, reverse proxy logs, and monitoring infrastructure. A highly privileged attacker with read access to those log systems can harvest the exposed OAuth credentials and use them for unauthorized GitLab API access. No public exploit code exists and this is not listed in CISA KEV.

Technical ContextAI

Red Hat Quay 3 (CPE: cpe:2.3:a:red_hat:red_hat_quay_3) ships a config-tool that validates GitLab OAuth integrations. OAuth 2.0 credentials - specifically client_id and client_secret - are meant to be transmitted in the HTTP POST request body or as Authorization headers, never as URL query parameters. CWE-598 (Use of GET Request Method With Sensitive Query Strings) captures this broader class of defect: placing secrets in the URL exposes them to any system that logs the full request URI, including web servers (e.g., nginx, Apache), reverse proxies, load balancers, SIEM pipelines, and browser/network history. Even though the HTTP method is POST, query-string secrets are equally visible in server access logs as they are for GET requests. This means credential exposure is not gated on network interception but on log access - a much wider attack surface in enterprise environments with centralized logging.

RemediationAI

Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-10078 for the official patched release; no specific fixed version number is independently confirmed from the available input data. The underlying fix should move GitLab OAuth credential parameters (client_id, client_secret) from URL query strings into the HTTP POST request body, consistent with OAuth 2.0 best practices. As an immediate compensating control pending patch application, restrict read access to server access logs, reverse proxy logs, and any centralized log aggregation systems to the minimum required personnel - this prevents opportunistic credential harvesting from existing log records. Additionally, rotate any GitLab OAuth client_secret values that were transmitted through Quay's config-tool while the vulnerable version was in use, as previously captured log entries may already contain the exposed credentials. Disabling the GitLab OAuth validation feature in config-tool entirely is an option for organizations that do not use GitLab integration, eliminating the exposure at the cost of losing that authentication pathway.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

CVE-2026-10078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy