Skip to main content

Red Hat Quay CVE-2026-11569

| EUVDEUVD-2026-35044 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-08 redhat GHSA-vv84-74f6-h4pq
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 13:45 vuln.today

DescriptionCVE.org

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL.

AnalysisAI

Stored cross-site scripting in Red Hat Quay 3.x allows an authenticated user with repository write access to upload a malicious SVG file via the filedrop endpoint, which lacks MIME type validation. The uploaded file is persisted and served inline through the CDN, meaning any victim who visits the archive URL will have attacker-controlled JavaScript execute in their browser. No public exploit has been identified at time of analysis, and exploitation requires both repository write privileges and victim interaction, limiting opportunistic mass exploitation.

Technical ContextAI

Red Hat Quay is a container image registry platform. Its filedrop endpoint - used for uploading archive or artifact content - fails to validate or restrict the MIME types of uploaded files. SVG is an XML-based image format natively supported by browsers, and the SVG specification permits embedded JavaScript (e.g., via <script> tags or event handlers). When an SVG containing JavaScript is stored and the CDN serves it inline rather than forcing a download disposition, the browser executes the script in the context of the Quay origin. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS) root cause: untrusted user input is stored and later reflected into a web context without sanitization. The Changed Scope (S:C) in the CVSS vector indicates that the impacted security context extends beyond the vulnerable component itself, consistent with session hijacking or credential theft affecting other Quay users.

RemediationAI

No specific patched version was confirmed in the available source data. Administrators should consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-11569 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2486194 for patch availability and upgrade instructions as Red Hat releases a fix. As a compensating control pending a patch, operators can restrict access to the filedrop endpoint at the network or reverse-proxy layer to limit which accounts or IP ranges can submit uploads - trade-off: this may disrupt legitimate CI/CD pipeline workflows that rely on artifact uploads. Additionally, configuring the CDN or web server to force a Content-Disposition: attachment header for all filedrop-served content would prevent inline browser rendering of SVG files, eliminating the XSS execution path without blocking the upload feature itself - this is a low-disruption mitigation that does not affect file storage or download workflows. Auditing existing uploaded files in the filedrop directory for SVG files with embedded script content is also advisable.

Vendor StatusVendor

Share

CVE-2026-11569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy