CVE-2026-32590
7.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | mirror registry for Red Hat OpenShift 2.0 | 1782177012 < * | unaffected |
| Red Hat | Red Hat Quay 3.10 | 1779822261 < * | unaffected |
| Red Hat | Red Hat Quay 3.12 | 1779811412 < * | unaffected |
| Red Hat | Red Hat Quay 3.14 | 1779689392 < * | unaffected |
| Red Hat | Red Hat Quay 3.15 | 1780891395 < * | unaffected |
| Red Hat | Red Hat Quay 3.16 | 1779204086 < * | unaffected |
| Red Hat | Red Hat Quay 3.17 | 1779922205 < * | unaffected |
| Red Hat | Red Hat Quay 3.17 | 1780604033 < * | unaffected |
| Red Hat | Red Hat Quay 3.9 | 1779811473 < * | unaffected |
Weaknesses
- CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:22465
- https://access.redhat.com/errata/RHSA-2026:22629
- https://access.redhat.com/errata/RHSA-2026:22840
- https://access.redhat.com/errata/RHSA-2026:23361
- https://access.redhat.com/errata/RHSA-2026:24833
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/errata/RHSA-2026:28441
- https://access.redhat.com/security/cve/CVE-2026-32590
- https://bugzilla.redhat.com/show_bug.cgi?id=2446964
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.