Skip to main content

Red Hat Quay CVE-2026-32589

| EUVDEUVD-2026-20513 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 redhat GHSA-7fjh-cgxv-cjc6
7.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 28, 2026 - 07:28 vuln.today
v2 (cvss_changed)
CVSS changed
Apr 28, 2026 - 07:22 NVD
7.1 (HIGH) 7.4 (HIGH)
Re-analysis Queued
Apr 21, 2026 - 23:37 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 18:16 euvd
EUVD-2026-20513
Analysis Generated
Apr 08, 2026 - 18:16 vuln.today
CVE Published
Apr 08, 2026 - 17:04 nvd
HIGH 7.1

DescriptionCVE.org

A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.

AnalysisAI

Red Hat Quay's container image upload mechanism allows authenticated users with push privileges to interfere with concurrent uploads by other users across the entire registry, enabling unauthorized read, modification, or cancellation of in-progress uploads in repositories they cannot access. This cross-repository attack vector affects Red Hat Quay 3.x and Mirror Registry deployments. EPSS score of 0.03% (8th percentile) indicates low predicted exploitation probability in the wild, and CISA SSVC framework rates this as non-automatable with no known exploitation, suggesting targeted risk rather than widespread threat despite the 7.4 CVSS score.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that Red Hat Quay's image upload process uses insufficiently validated user-supplied identifiers to locate or lock upload sessions. The container registry architecture typically manages concurrent blob uploads through session tokens or temporary storage identifiers. The flaw allows an authenticated attacker to manipulate these identifiers to reference upload sessions belonging to other users in different repositories. Affected products per CPE data include Red Hat Quay 3.x (cpe:2.3:a:red_hat:red_hat_quay_3) and Mirror Registry for Red Hat OpenShift versions 1.x and 2.x. The Changed scope (S:C) in the CVSS vector confirms that impact extends beyond the attacker's authorized repository boundaries into other users' security contexts.

RemediationAI

Consult Red Hat's official security advisory at https://access.redhat.com/security/cve/CVE-2026-32589 for patched versions and upgrade instructions, as specific fix versions are not confirmed in available analysis data. Monitor Red Hat Bugzilla ticket 2446963 (https://bugzilla.redhat.com/show_bug.cgi?id=2446963) for technical details and patch availability timeline. As compensating controls until patching, restrict repository push access to only trusted authenticated users in multi-tenant Quay deployments, implement network segmentation to limit registry access to authorized build systems rather than broad developer access, and enable comprehensive audit logging to detect anomalous upload session activity patterns (trade-off: increased storage and log analysis overhead). In high-security environments, consider temporary migration to isolated single-tenant Quay instances per development team to eliminate cross-repository attack surface (trade-off: increased operational complexity and infrastructure costs). Review and revoke unnecessary push privileges across all repositories to minimize the pool of potentially malicious authenticated users.

Vendor StatusVendor

Share

CVE-2026-32589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy