Description
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Published: 2026-04-08
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized manipulation of in‑progress image uploads
Action: Patch ASAP
AI Analysis

Impact

A flaw in Red Hat Quay’s container image upload process allows an authenticated user with push access to any repository to interfere with another user’s in‑progress blob upload. The attacker can read the upload data, modify it, or cancel the transfer, potentially causing corruption or denial of service. This weakness is an example of insecure direct object reference (CWE‑639).

Affected Systems

All versions of Red Hat Quay 3 and the mirror registry for Red Hat OpenShift (versions 1 and 2) are affected. The issue applies to any runtime that permits push permissions, regardless of the target repository’s visibility to the attacker.

Risk and Exploitability

The CVSS score of 7.4 indicates a moderate to high severity. The EPSS score is 0.00032 (< 1%), and the vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate to the registry and possess push rights; no additional privileges or network reachability beyond that are required. The attack vector is therefore network‑based but relies on compromised or legitimate accounts with elevated repository permissions.

Generated by OpenCVE AI on April 29, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Red Hat Quay 3 or upgrade the mirror registry to a fixed release.
  • If a patch is not immediately available, limit push permissions to trusted users or temporarily disable blob uploads for non‑trusted accounts.
  • Audit current push permissions for security compliance and revoke any unnecessary push rights to enforce the principle of least privilege.

Generated by OpenCVE AI on April 29, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L'}

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat mirror Registry For Red Hat Openshift
CPEs cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
Vendors & Products Redhat mirror Registry For Red Hat Openshift

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Title Mirror-registry: quay: insecure direct object reference in blobupload
First Time appeared Redhat
Redhat mirror Registry
Redhat quay
Weaknesses CWE-639
CPEs cpe:/a:redhat:mirror_registry:1
cpe:/a:redhat:mirror_registry:2
cpe:/a:redhat:quay:3
Vendors & Products Redhat
Redhat mirror Registry
Redhat quay
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L'}

Subscriptions

Redhat Mirror Registry Mirror Registry For Red Hat Openshift Quay
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-28T06:09:02.117Z

Reserved: 2026-03-12T14:39:53.657Z

Link: CVE-2026-32589

cve-icon Vulnrichment

Updated: 2026-04-08T18:01:27.191Z

cve-icon NVD

Status : Modified

Published: 2026-04-08T18:25:59.790

Modified: 2026-04-28T07:16:03.023

Link: CVE-2026-32589

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-08T00:00:00Z

Links: CVE-2026-32589 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:45:26Z

Weaknesses