OAuth Vulnerability in Quay Config-Tool Exposes Sensitive Credentials
CVE-2026-10078

2.7LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Quay 3
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-10078?

A security flaw in the Quay config-tool's GitLab OAuth validator allows sensitive credentials, such as client_id and client_secret, to be sent in plaintext through URL query parameters during POST requests. This insecure transmission can lead to the exposure of these credentials in various system logs, including server access logs and reverse proxy logs. Attackers who gain access to these logs could exploit this vulnerability to disclose sensitive information, potentially compromising system security.

References

https://access.redhat.com/security/cve/CVE-2026-10078

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2483168

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 29, 2026

Credit

Red Hat would like to thank Martin Brodeur for reporting this issue.

CVE-2026-10078 Data

JSON