CVE-2026-2377
Server-Side Request Forgery in mirror-registry Log Export Feature
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | quay | 3.0.0 |
| redhat | mirror_registry_for_red_hat_openshift | * |
| redhat | mirror_registry_for_red_hat_openshift | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2377 is a Server-Side Request Forgery (SSRF) vulnerability found in the mirror-registry component called "quay." Authenticated users can exploit the log export feature by providing a specially crafted callback URL. The backend processes this URL asynchronously and makes HTTP requests to it, following redirects and preserving HTTP methods and request bodies. This allows attackers to make arbitrary HTTP requests from the server to internal network resources that are not normally accessible.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information or internal systems within the network. Since the backend makes requests to arbitrary URLs provided by authenticated users, attackers can use this to reach internal services that are otherwise protected, potentially exposing confidential data or enabling further attacks within the internal network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring for unusual outbound HTTP requests initiated by the mirror-registry backend, especially those triggered by authenticated users via the log export feature.
Since the vulnerability is exploited by providing a specially crafted callback_url that the backend asynchronously requests, you can look for suspicious or unexpected HTTP requests originating from the mirror-registry server to internal network resources.
Commands to help detect exploitation attempts might include:
- Using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the mirror-registry server.
- Example tcpdump command: sudo tcpdump -i <interface> -nn host <mirror-registry-server-ip> and tcp port 80 or 443
- Checking application logs for usage of the log export feature with unusual callback URLs.
- Using curl or similar tools to test the log export feature with controlled callback URLs to observe backend behavior.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the log export feature that accepts arbitrary callback URLs until a patch is applied.
Ensure that only trusted and validated URLs are accepted by the backend to prevent SSRF exploitation.
Limit network access from the mirror-registry backend to internal resources by implementing network segmentation or firewall rules that block unauthorized outbound HTTP requests.
Apply any available security updates or patches provided by the vendor as soon as they are released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to perform Server-Side Request Forgery (SSRF), enabling unauthorized access to sensitive internal information or systems. This unauthorized access could lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations such as GDPR or HIPAA that require safeguarding sensitive information.
Since the flaw can lead to unauthorized access to internal resources and potentially sensitive information, organizations using the affected component may face increased risk of data breaches or unauthorized data disclosure, which are critical compliance concerns under these standards.