Arbitrary Code Execution Risk in Red Hat Quay Due to Flawed Image Layer Upload Handling
CVE-2026-32590

7.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Quay 3.16
Mirror Registry For Red Hat Openshift
Mirror Registry For Red Hat Openshift 2
Red Hat Quay 3
Vendor
CVE Published:
8 April 2026

What is CVE-2026-32590?

A security flaw exists in Red Hat Quay's handling of resumable container image layer uploads. During the upload process, intermediate data is stored in the database using a format that lacks proper validation. If an attacker manipulates this data, it could lead to the execution of arbitrary code on the Quay server, posing a significant security risk. Organizations utilizing Red Hat Quay should review their deployments and consider implementing remedial measures to safeguard against this vulnerability.

Affected Version(s)

Red Hat Quay 3.16 1779204086

References

https://access.redhat.com/errata/RHSA-2026:19375
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-32590
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2446964
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.
.