Skip to main content

Mirror Registry For Red Hat Openshift EUVDEUVD-2026-20517

| CVE-2026-32591 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 redhat GHSA-9wjq-f6rc-86wf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Red Hat
5.2 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
CVSS changed
Jun 30, 2026 - 03:24 NVD
5.2 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 18:16 euvd
EUVD-2026-20517
Analysis Generated
Apr 08, 2026 - 18:16 vuln.today
CVE Published
Apr 08, 2026 - 17:06 nvd
MEDIUM 5.2

DescriptionNVD

A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.

AnalysisAI

Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization administrators to force the Quay server to make unvalidated network requests to internal services, cloud infrastructure endpoints, or otherwise restricted resources by supplying a crafted upstream registry hostname. With CVSS 5.2 and high confidentiality impact, this vulnerability requires administrator privileges and user interaction but poses significant risk to internal network exposure; no public exploit code or active exploitation (KEV) confirmed at time of analysis.

Technical ContextAI

Red Hat Quay implements a Proxy Cache feature that allows organization administrators to configure upstream registries for caching container images. The vulnerability stems from improper input validation of the upstream registry hostname (CWE-918: Server-Side Request Forgery). When a hostname is supplied, Quay establishes a network connection without verifying that the destination is a legitimate external service, enabling an attacker to redirect requests to internal IP addresses (RFC 1918 ranges), localhost services, cloud metadata endpoints (e.g., AWS IMDSv2, GCP metadata service), Kubernetes API servers, or other restricted resources. The affected products include Red Hat Quay 3.x and Mirror Registry for Red Hat OpenShift (versions 1.x and 2.x), which share this codebase. The SSRF attack vector is network-based, low complexity, but gated by high privilege (PR:H) requirement and user interaction (UI:R), indicating the vulnerability requires an administrator to actively configure the malicious upstream registry.

RemediationAI

Organizations must upgrade Red Hat Quay to a patched version released after this advisory (consult https://access.redhat.com/security/cve/CVE-2026-32591 and https://bugzilla.redhat.com/show_bug.cgi?id=2446965 for exact version numbers and timelines). For Mirror Registry for Red Hat OpenShift, ensure both 1.x and 2.x deployments are updated to their respective patched releases. As a short-term compensating control, restrict the ability to configure Proxy Cache settings to a minimal set of highly trusted administrators, enforce mandatory change approval workflows for upstream registry hostname modifications, and implement network segmentation to limit Quay server access to only approved external registries. Monitor and audit all Proxy Cache configuration changes and validate that configured upstream registries resolve to legitimate external services. Container image registries should implement egress firewall rules to prevent Quay from accessing internal network ranges (RFC 1918) and cloud metadata endpoints (169.254.169.254, etc.).

Vendor StatusVendor

Share

EUVD-2026-20517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy