CVE-2026-2377
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in Red Hat Quay and mirror registry for Red Hat OpenShift. The log export feature in these products allows an authenticated user to specify an arbitrary callback URL. A backend process then makes server-side HTTP requests to this provided URL. This vulnerability, known as Server-Side Request Forgery (SSRF), could allow an attacker to send requests from the application's internal network, potentially leading to the disclosure of sensitive information.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Quay 3.10 | 1779822261 < * | unaffected |
| Red Hat | Red Hat Quay 3.12 | 1779811412 < * | unaffected |
| Red Hat | Red Hat Quay 3.14 | 1779689392 < * | unaffected |
| Red Hat | Red Hat Quay 3.15 | 1780891395 < * | unaffected |
| Red Hat | Red Hat Quay 3.16 | 1779204086 < * | unaffected |
| Red Hat | Red Hat Quay 3.9 | 1779811473 < * | unaffected |
Weaknesses
- CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
mirror-registry: quay: quay: Server-Side Request Forgery via log export functionality
Additional References
- https://access.redhat.com/security/cve/CVE-2026-2377
- https://bugzilla.redhat.com/show_bug.cgi?id=2439201
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2377.json
- https://access.redhat.com/errata/RHSA-2026:22840
- https://access.redhat.com/errata/RHSA-2026:22629
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:23361
References
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:22629
- https://access.redhat.com/errata/RHSA-2026:22840
- https://access.redhat.com/errata/RHSA-2026:23361
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/security/cve/CVE-2026-2377
- https://bugzilla.redhat.com/show_bug.cgi?id=2439201
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.