EUVD-2026-20513
GHSA-7fjh-cgxv-cjc6
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
Lifecycle Timeline
3Description
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Analysis
Red Hat Quay container registry allows authenticated users with push access to interfere with other users' image uploads across repositories, including those they cannot access. An authenticated attacker (PR:L) can read, modify, or cancel in-progress uploads in any repository on the registry, bypassing authorization boundaries. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Red Hat Quay 3.x and Mirror Registry instances in your environment and document administrator and push-access user accounts. Within 7 days: Review audit logs for unauthorized upload modifications or cancellations; audit push-access user permissions and reduce to minimum necessary scope per repository. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today