Skip to main content

Red Hat Quay 3 CVE-2026-6848

| EUVDEUVD-2026-24735 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-22 redhat GHSA-fwq2-5p9g-fm29
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 10:00 euvd
EUVD-2026-24735
Analysis Generated
Apr 22, 2026 - 10:00 vuln.today
CVE Published
Apr 22, 2026 - 09:06 nvd
MEDIUM 5.4

DescriptionCVE.org

A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle authenticated browser session, to perform privileged actions without providing valid credentials. The vulnerability enables unauthorized execution of sensitive operations despite the user interface displaying an error for invalid credentials.

AnalysisAI

Red Hat Quay 3 bypasses password re-verification for sensitive operations such as token generation and robot account creation, allowing users with timed-out or idle authenticated sessions to perform privileged actions without providing valid credentials. An attacker with access to an abandoned browser session can execute sensitive operations despite the UI displaying authentication errors, resulting in unauthorized token creation, robot account manipulation, and information disclosure. CVSS 5.4 reflects moderate risk with network attack vector and low privilege requirements.

Technical ContextAI

Red Hat Quay is a container image registry and repository management platform. The vulnerability exists in the authentication re-verification mechanism (CWE-613: Insufficient Session Expiration) that is supposed to challenge users for credentials before executing sensitive operations. The flaw allows this challenge to be circumvented through session manipulation or timeout handling, bypassing the second-factor credential validation that protects against unauthorized use of abandoned authenticated sessions. The affected component is Red Hat Quay 3.x, as identified by CPE cpe:2.3:a:red_hat:red_hat_quay_3:*:*:*:*:*:*:*:*.

RemediationAI

Apply the vendor-released security patch for Red Hat Quay 3 as documented in the Red Hat Security Advisory (https://access.redhat.com/security/cve/CVE-2026-6848). The patch fixes the re-authentication bypass by enforcing mandatory credential re-verification for sensitive operations. Until the patch is applied, the following compensating controls reduce risk: enforce browser-session timeouts of 15-30 minutes in Quay configurations or reverse-proxy settings to minimize the window for abandoned-session exploitation; disable or restrict robot account creation and token generation APIs to service accounts with multi-factor authentication; and require VPN or bastion host access to the Quay management interface to limit physical or remote attacker access to authenticated workstations. Note: these controls introduce operational friction and do not fix the underlying flaw; patching is the primary remediation.

Vendor StatusVendor

Share

CVE-2026-6848 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy