CVE-2026-10078 - Vulnerability Details

- Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

Description

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.

Published: 2026-05-29

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the configuration tool used by Red Hat Quay causes the GitLab OAuth client credentials to be sent as plain text in the URL query string of a POST request. Because these query parameters are logged by web servers, reverse proxies, and other monitoring systems, the client_id and client_secret become exposed in log files, allowing an attacker who can read those logs to obtain the credentials and potentially use them for unauthorized access. This flaw is an example of CWE-598, representing the weakness of exposing secrets in logable data.

Affected Systems

Red Hat Quay version 3, specifically the Quay config-tool component, is affected. The vulnerability exists in any installation that uses the GitLab OAuth validator as provided in the Red Hat Quay 3 distribution.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, but the vulnerability can lead to credential theft if log files are accessible. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not widely exploited in the wild. The likely attack vector is any entity that can read the logs where the request URLs are stored, which may include local administrators, compromised hosts, or network observers. If an attacker can retrieve the logs, they can obtain the exposed credentials and use them to access the GitLab account or services tied to those credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Quay 3	affected	—
Red Hat	Red Hat Quay 3	affected	—

No data.

Vendor Product Confidence Versions

Redhat

Quay

90%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest Red Hat Quay 3 release that removes the client_id and client_secret from query strings.
Configure the service so that URLs containing sensitive parameters are omitted from logs or actively scrubbed when logged.
Limit access to log files and monitoring outputs to authorized personnel only, and periodically review logs for the presence of exposed credentials.

Generated by OpenCVE AI on May 29, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-10078
https://bugzilla.redhat.com/show_bug.cgi?id=2483168

History

Fri, 29 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.
Title		Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring
First Time appeared		Redhat Redhat quay
Weaknesses		CWE-598
CPEs		cpe:/a:redhat:quay:3
Vendors & Products		Redhat Redhat quay
References		https://access.redhat.com/security/cve/CVE-2026-10078 https://bugzilla.redhat.com/show_bug.cgi?id=2483168
Metrics		cvssV3_1 `{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Redhat Quay

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-29T09:30:30.084Z

Updated: 2026-05-29T18:27:39.192Z

Reserved: 2026-05-29T08:57:06.499Z

Link: CVE-2026-10078

Vulnrichment

Updated: 2026-05-29T18:27:19.805Z

NVD

Status : Awaiting Analysis

Published: 2026-05-29T11:16:16.663

Modified: 2026-05-29T14:06:47.240

Link: CVE-2026-10078

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T14:30:36Z

Weaknesses

CWE-598

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object