Red Hat Quay 3 CVE-2026-6848

| EUVD-2026-24735 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-22 redhat GHSA-fwq2-5p9g-fm29
Information Disclosure Redhat
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today

DescriptionNVD

A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle authenticated browser session, to perform privileged actions without providing valid credentials. The vulnerability enables unauthorized execution of sensitive operations despite the user interface displaying an error for invalid credentials.

AnalysisAI

Red Hat Quay 3 bypasses password re-verification for sensitive operations such as token generation and robot account creation, allowing users with timed-out or idle authenticated sessions to perform privileged actions without providing valid credentials. An attacker with access to an abandoned browser session can execute sensitive operations despite the UI displaying authentication errors, resulting in unauthorized token creation, robot account manipulation, and information disclosure. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6848 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy