Compliance Impact

The vulnerability allows an authenticated user with push access to interfere with and access in-progress image uploads of other users, including those in repositories they do not have permission to access.

This unauthorized access and potential modification of data could lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict controls over access to sensitive data and ensure data integrity and confidentiality.

Specifically, the ability to read, modify, or cancel another user's uploads may result in unauthorized disclosure or alteration of personal or sensitive information, thereby impacting compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-32589 is an Insecure Direct Object Reference (IDOR) vulnerability in Red Hat Quay's container image upload process, specifically within the OCI BlobUpload protocol.

An authenticated user with push access to any repository can interfere with image uploads in progress by other users, including those in repositories they do not have access to.

This interference allows the attacker to read, modify, or cancel another user's in-progress image upload.

The exploit requires the attacker to be logged into the web application or to initiate authenticated curl requests.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with limited permissions to perform unauthorized read, write, and delete operations on in-progress image uploads belonging to other users or tenants.

As a result, attackers can disrupt image uploads by canceling them or modifying the content, potentially leading to corrupted or tampered container images.

This can compromise the integrity and availability of container images, which may affect deployment processes and system reliability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring authenticated user activities related to the OCI BlobUpload protocol in Red Hat Quay's mirror-registry component. Specifically, look for unusual or unauthorized read, write, or delete operations on in-progress blob uploads that belong to other tenants.

Detection can involve checking logs for authenticated curl requests or web application sessions where users with push access perform operations on repositories they do not have permission to access.

While no explicit commands are provided, you can use authenticated curl commands to test the BlobUpload endpoints for unauthorized access attempts.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, ensure that only trusted authenticated users have push access to repositories, as the exploit requires authenticated access.

Monitor and restrict the use of the OCI BlobUpload protocol where possible, and consider limiting or auditing authenticated curl requests or web application sessions that perform image uploads.

Apply any available patches or updates from Red Hat for Quay and the Mirror Registry component as soon as they are released to address this high severity issue.

Useful 0 Not Useful 0