Description
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
Published: 2026-04-08
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in how Red Hat Quay handles resumable container image layer uploads. During the upload process the server stores intermediate data in its database in a serialized format that is not properly safeguarded. If an attacker can modify that serialized payload, the deserialization step can trigger arbitrary code execution on the Quay host, exposing the system to full compromise. The weakness is a classic unsafe deserialization flaw, classified as CWE‑502.

Affected Systems

The flaw affects Red Hat Quay version 3 and the Red Hat mirror registry used in OpenShift, with affected releases identified as mirror registry 1 and 2. Users deploying these components without a recent fix are vulnerable.

Risk and Exploitability

The CVSS base score is 7.1, indicating a high severity. EPSS data is not yet available, and the vulnerability is not in the KEV catalog, suggesting no mass exploitation yet. Nevertheless, the attack vector requires that an attacker be able to inject a crafted payload into the upload workflow, which is feasible for internal threat actors or compromised clients. Once exploited, the attacker can run arbitrary code with the permissions of the Quay service, potentially leading to full system takeover.

Generated by OpenCVE AI on April 8, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Quay 3 update that addresses the deserialization issue. 
  • Upgrade the mirror registry for OpenShift to a version that has patched the upload handling flaw. 
  • If a patch is not available, restrict network access to the upload endpoint so only trusted hosts can submit image layers. 
  • Monitor the upload logs for abnormal activity and audit the database for suspicious serialized objects. 
  • Contact Red Hat support for guidance if remediation steps are unclear.

Generated by OpenCVE AI on April 8, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
Title Mirror-registry: remote code execution using pickle deserialization
First Time appeared Redhat
Redhat mirror Registry
Redhat quay
Weaknesses CWE-502
CPEs cpe:/a:redhat:mirror_registry:1
cpe:/a:redhat:mirror_registry:2
cpe:/a:redhat:quay:3
Vendors & Products Redhat
Redhat mirror Registry
Redhat quay
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Mirror Registry Quay
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T19:14:55.136Z

Reserved: 2026-03-12T14:39:53.657Z

Link: CVE-2026-32590

cve-icon Vulnrichment

Updated: 2026-04-08T19:14:52.191Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:25:59.947

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-32590

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T00:00:00Z

Links: CVE-2026-32590 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:38:57Z

Weaknesses