Description
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.
Published: 2026-04-08
Score: 5.2 Medium
EPSS: n/a
KEV: No
Impact: Server‑Side Request Forgery (unauthorized network access)
Action: Immediate Patch
AI Analysis

Impact

Quay’s proxy‑cache feature allows an organization administrator to specify an upstream registry for caching. The application does not validate the supplied hostname, allowing the administrator to provide a crafted address that forces Quay to establish an outgoing connection to any target reachable from the Quay host. Consequently, sensitive internal services, cloud‑infrastructure endpoints, and other normally protected resources may be queried or even accessed by the attacker. This vulnerability enables the exfiltration of private data or the exploitation of services that are not intended to be exposed, representing a moderate‑severity security risk. The weakness is identified as a server‑side request forgery (CWE‑918).

Affected Systems

Red Hat Quay version 3 and the Red Hat mirror registry components for OpenShift, including mirror registry 1 and mirror registry 2. These components are commonly deployed on OpenShift clusters and are responsible for handling container image distribution and caching.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, and the exploit requires organization‑administrator privileges to inject the malicious hostname. Because the attack vector is not publicly reachable without privileged configuration access, the overall risk is moderate, with some dependency on internal access controls. No publicly available exploit data or KEV listing is present, and EPSS data is not available. The risk is mainly driven by the lack of hostname validation and the potential to reach unintended internal resources.

Generated by OpenCVE AI on April 8, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Red Hat security announcement linked in the CVE references and apply the vendor‑supplied patch or upgrade to the latest Quay or mirror registry version that removes the vulnerability.
  • If a patch is not yet available, restrict organization‑administrator privileges so that only trusted individuals can configure proxy cache upstream registries.
  • Consider disabling the proxy cache feature or enforcing a whitelist of allowed upstream registry hostnames to prevent arbitrary outbound connections.

Generated by OpenCVE AI on April 8, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.
Title Mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration
First Time appeared Redhat
Redhat mirror Registry
Redhat quay
Weaknesses CWE-918
CPEs cpe:/a:redhat:mirror_registry:1
cpe:/a:redhat:mirror_registry:2
cpe:/a:redhat:quay:3
Vendors & Products Redhat
Redhat mirror Registry
Redhat quay
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Redhat Mirror Registry Quay
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T17:06:58.222Z

Reserved: 2026-03-12T14:39:53.657Z

Link: CVE-2026-32591

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T18:26:00.107

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-32591

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-08T00:00:00Z

Links: CVE-2026-32591 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:38:56Z

Weaknesses