Arbitrary Code Execution Risk in Red Hat Quay Due to Flawed Image Layer Upload Handling
CVE-2026-32590

7.1HIGH

Key Information:

Vendor: Red Hat
Status: Mirror Registry For Red Hat Openshift; Mirror Registry For Red Hat Openshift 2; Red Hat Quay 3
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-32590?

A security flaw exists in Red Hat Quay's handling of resumable container image layer uploads. During the upload process, intermediate data is stored in the database using a format that lacks proper validation. If an attacker manipulates this data, it could lead to the execution of arbitrary code on the Quay server, posing a significant security risk. Organizations utilizing Red Hat Quay should review their deployments and consider implementing remedial measures to safeguard against this vulnerability.

References

https://access.redhat.com/security/cve/CVE-2026-32590

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2446964

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.

CVE-2026-32590 Data

JSON