Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
AnalysisAI
Red Hat Quay's container image upload mechanism allows authenticated users with push privileges to interfere with concurrent uploads by other users across the entire registry, enabling unauthorized read, modification, or cancellation of in-progress uploads in repositories they cannot access. This cross-repository attack vector affects Red Hat Quay 3.x and Mirror Registry deployments. EPSS score of 0.03% (8th percentile) indicates low predicted exploitation probability in the wild, and CISA SSVC framework rates this as non-automatable with no known exploitation, suggesting targeted risk rather than widespread threat despite the 7.4 CVSS score.
Technical ContextAI
This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that Red Hat Quay's image upload process uses insufficiently validated user-supplied identifiers to locate or lock upload sessions. The container registry architecture typically manages concurrent blob uploads through session tokens or temporary storage identifiers. The flaw allows an authenticated attacker to manipulate these identifiers to reference upload sessions belonging to other users in different repositories. Affected products per CPE data include Red Hat Quay 3.x (cpe:2.3:a:red_hat:red_hat_quay_3) and Mirror Registry for Red Hat OpenShift versions 1.x and 2.x. The Changed scope (S:C) in the CVSS vector confirms that impact extends beyond the attacker's authorized repository boundaries into other users' security contexts.
RemediationAI
Consult Red Hat's official security advisory at https://access.redhat.com/security/cve/CVE-2026-32589 for patched versions and upgrade instructions, as specific fix versions are not confirmed in available analysis data. Monitor Red Hat Bugzilla ticket 2446963 (https://bugzilla.redhat.com/show_bug.cgi?id=2446963) for technical details and patch availability timeline. As compensating controls until patching, restrict repository push access to only trusted authenticated users in multi-tenant Quay deployments, implement network segmentation to limit registry access to authorized build systems rather than broad developer access, and enable comprehensive audit logging to detect anomalous upload session activity patterns (trade-off: increased storage and log analysis overhead). In high-security environments, consider temporary migration to isolated single-tenant Quay instances per development team to eliminate cross-repository attack surface (trade-off: increased operational complexity and infrastructure costs). Review and revoke unnecessary push privileges across all repositories to minimize the pool of potentially malicious authenticated users.
Authenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deser
Server-side request forgery (SSRF) in Red Hat Mirror Registry and Red Hat Quay 3.x allows authenticated users to conduct
Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization adminis
OpenShift Mirror Registry leaks valid usernames and email addresses through inconsistent error messages during authentic
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20513
GHSA-7fjh-cgxv-cjc6