Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.
AnalysisAI
Credential exposure in Red Hat Quay 3's config-tool GitLab OAuth validator allows OAuth client_id and client_secret to leak into system logs. The config-tool incorrectly appends these sensitive values as URL query parameters on POST requests to the GitLab endpoint, causing them to appear in server access logs, reverse proxy logs, and monitoring infrastructure. A highly privileged attacker with read access to those log systems can harvest the exposed OAuth credentials and use them for unauthorized GitLab API access. No public exploit code exists and this is not listed in CISA KEV.
Technical ContextAI
Red Hat Quay 3 (CPE: cpe:2.3:a:red_hat:red_hat_quay_3) ships a config-tool that validates GitLab OAuth integrations. OAuth 2.0 credentials - specifically client_id and client_secret - are meant to be transmitted in the HTTP POST request body or as Authorization headers, never as URL query parameters. CWE-598 (Use of GET Request Method With Sensitive Query Strings) captures this broader class of defect: placing secrets in the URL exposes them to any system that logs the full request URI, including web servers (e.g., nginx, Apache), reverse proxies, load balancers, SIEM pipelines, and browser/network history. Even though the HTTP method is POST, query-string secrets are equally visible in server access logs as they are for GET requests. This means credential exposure is not gated on network interception but on log access - a much wider attack surface in enterprise environments with centralized logging.
RemediationAI
Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-10078 for the official patched release; no specific fixed version number is independently confirmed from the available input data. The underlying fix should move GitLab OAuth credential parameters (client_id, client_secret) from URL query strings into the HTTP POST request body, consistent with OAuth 2.0 best practices. As an immediate compensating control pending patch application, restrict read access to server access logs, reverse proxy logs, and any centralized log aggregation systems to the minimum required personnel - this prevents opportunistic credential harvesting from existing log records. Additionally, rotate any GitLab OAuth client_secret values that were transmitted through Quay's config-tool while the vulnerable version was in use, as previously captured log entries may already contain the exposed credentials. Disabling the GitLab OAuth validation feature in config-tool entirely is an option for organizations that do not use GitLab integration, eliminating the exposure at the cost of losing that authentication pathway.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33272
GHSA-f2q6-8fx7-gjf8