CVE-2026-32589
Insecure Image Upload Interference in Red Hat Quay Registry
Publication date: 2026-04-08
Last updated on: 2026-04-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | quay | 3.0.0 |
| redhat | mirror_registry_for_red_hat_openshift | * |
| redhat | mirror_registry_for_red_hat_openshift | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with push access to interfere with and access in-progress image uploads of other users, including those in repositories they do not have permission to access.
This unauthorized access and potential modification of data could lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and ensure data integrity and confidentiality.
Specifically, the ability to read, modify, or cancel another user's uploads may result in unauthorized disclosure or alteration of personal or sensitive information, thereby impacting compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-32589 is an Insecure Direct Object Reference (IDOR) vulnerability in Red Hat Quay's container image upload process, specifically within the OCI BlobUpload protocol.
An authenticated user with push access to any repository can interfere with image uploads in progress by other users, including those in repositories they do not have access to.
This interference allows the attacker to read, modify, or cancel another user's in-progress image upload.
The exploit requires the attacker to be logged into the web application or to initiate authenticated curl requests.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited permissions to perform unauthorized read, write, and delete operations on in-progress image uploads belonging to other users or tenants.
As a result, attackers can disrupt image uploads by canceling them or modifying the content, potentially leading to corrupted or tampered container images.
This can compromise the integrity and availability of container images, which may affect deployment processes and system reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring authenticated user activities related to the OCI BlobUpload protocol in Red Hat Quay's mirror-registry component. Specifically, look for unusual or unauthorized read, write, or delete operations on in-progress blob uploads that belong to other tenants.
Detection can involve checking logs for authenticated curl requests or web application sessions where users with push access perform operations on repositories they do not have permission to access.
While no explicit commands are provided, you can use authenticated curl commands to test the BlobUpload endpoints for unauthorized access attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that only trusted authenticated users have push access to repositories, as the exploit requires authenticated access.
Monitor and restrict the use of the OCI BlobUpload protocol where possible, and consider limiting or auditing authenticated curl requests or web application sessions that perform image uploads.
Apply any available patches or updates from Red Hat for Quay and the Mirror Registry component as soon as they are released to address this high severity issue.