CVE-2026-2376
Open Redirect Vulnerability in mirror-registry Enables Unauthorized Access
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quay | mirror_registry | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2376 is a medium severity vulnerability in the mirror-registry component of Quay's web interface. It is an open redirect flaw where an authenticated user can supply malicious web addresses that the system processes without properly validating the final destination. This allows the system to automatically follow redirects to unintended internal or restricted systems."}, {'type': 'paragraph', 'content': 'Exploiting this vulnerability in combination with the log export callback functionality can lead to a server-side request forgery (SSRF) condition, where the backend worker performs HTTP requests to arbitrary destinations specified by the attacker.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to trick the system into accessing internal or restricted systems that they should not have access to. This can lead to unauthorized information disclosure or interaction with internal services.
Because the system follows redirects without verifying the final destination, attackers can use this to perform server-side request forgery (SSRF), potentially enabling them to scan internal networks, access sensitive data, or exploit other internal vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an open redirect and server-side request forgery (SSRF) triggered by user-controlled URLs passed to backend workflows without proper validation.
To detect exploitation attempts on your system or network, monitor for unusual HTTP requests originating from authenticated users that cause backend services to access unexpected internal or external systems.
Specifically, you can look for logs or network traffic showing backend HTTP requests to internal or restricted IP addresses or domains that are not normally accessed.
While no exact commands are provided in the resources, general detection steps include:
- Review application logs for requests containing suspicious or unexpected URLs in the log export callback functionality.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze outbound HTTP requests from the backend service to unusual destinations.
- Example command to monitor outbound HTTP requests on Linux: tcpdump -i <interface> tcp port 80 or 443
- Search logs for redirect URLs or callback URLs that contain unexpected domains or IP addresses.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the vulnerable functionality that allows user-controlled URLs to be processed without validation.
Ensure that only trusted and validated URLs are accepted by the application, especially in the log export callback functionality.
Limit the permissions of authenticated users to reduce the risk of exploitation.
Monitor and restrict backend HTTP requests to internal or sensitive systems using network-level controls such as firewalls or access control lists.
Apply any patches or updates provided by the vendor as soon as they become available.