Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle authenticated browser session, to perform privileged actions without providing valid credentials. The vulnerability enables unauthorized execution of sensitive operations despite the user interface displaying an error for invalid credentials.
AnalysisAI
Red Hat Quay 3 bypasses password re-verification for sensitive operations such as token generation and robot account creation, allowing users with timed-out or idle authenticated sessions to perform privileged actions without providing valid credentials. An attacker with access to an abandoned browser session can execute sensitive operations despite the UI displaying authentication errors, resulting in unauthorized token creation, robot account manipulation, and information disclosure. CVSS 5.4 reflects moderate risk with network attack vector and low privilege requirements.
Technical ContextAI
Red Hat Quay is a container image registry and repository management platform. The vulnerability exists in the authentication re-verification mechanism (CWE-613: Insufficient Session Expiration) that is supposed to challenge users for credentials before executing sensitive operations. The flaw allows this challenge to be circumvented through session manipulation or timeout handling, bypassing the second-factor credential validation that protects against unauthorized use of abandoned authenticated sessions. The affected component is Red Hat Quay 3.x, as identified by CPE cpe:2.3:a:red_hat:red_hat_quay_3:*:*:*:*:*:*:*:*.
RemediationAI
Apply the vendor-released security patch for Red Hat Quay 3 as documented in the Red Hat Security Advisory (https://access.redhat.com/security/cve/CVE-2026-6848). The patch fixes the re-authentication bypass by enforcing mandatory credential re-verification for sensitive operations. Until the patch is applied, the following compensating controls reduce risk: enforce browser-session timeouts of 15-30 minutes in Quay configurations or reverse-proxy settings to minimize the window for abandoned-session exploitation; disable or restrict robot account creation and token generation APIs to service accounts with multi-factor authentication; and require VPN or bastion host access to the Quay management interface to limit physical or remote attacker access to authenticated workstations. Note: these controls introduce operational friction and do not fix the underlying flaw; patching is the primary remediation.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24735
GHSA-fwq2-5p9g-fm29