Description
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Published: 2026-04-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized manipulation of in‑progress image uploads
Action: Patch ASAP
AI Analysis

Impact

A flaw in Red Hat Quay’s container image upload process allows an authenticated user with push access to any repository to interfere with another user’s in‑progress blob upload. The attacker can read the upload data, modify it, or cancel the transfer, potentially causing corruption or denial of service. This weakness is an example of insecure direct object reference (CWE‑639).

Affected Systems

All versions of Red Hat Quay 3 and the mirror registry for Red Hat OpenShift (versions 1 and 2) are affected. The issue applies to any runtime that permits push permissions, regardless of the target repository’s visibility to the attacker.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate to the registry and possess push rights; no additional privileges or network reachability beyond that are required. The attack vector is therefore network‑based but relies on compromised or legitimate accounts with elevated repository permissions.

Generated by OpenCVE AI on April 8, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Red Hat Quay 3 or upgrade the mirror registry to a fixed release.
  • If a patch is not immediately available, limit push permissions to trusted users or temporarily disable blob uploads for non‑trusted accounts.

Generated by OpenCVE AI on April 8, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Title Mirror-registry: quay: insecure direct object reference in blobupload
First Time appeared Redhat
Redhat mirror Registry
Redhat quay
Weaknesses CWE-639
CPEs cpe:/a:redhat:mirror_registry:1
cpe:/a:redhat:mirror_registry:2
cpe:/a:redhat:quay:3
Vendors & Products Redhat
Redhat mirror Registry
Redhat quay
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L'}

Subscriptions

Redhat Mirror Registry Quay
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T18:01:32.402Z

Reserved: 2026-03-12T14:39:53.657Z

Link: CVE-2026-32589

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:25:59.790

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-32589

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-08T00:00:00Z

Links: CVE-2026-32589 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:18:41Z

Weaknesses