CVE-2026-32590
Modified Modified - Updated After Analysis
Deserialization Flaw in Red Hat Quay Enables Remote Code Execution

Publication date: 2026-04-08

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32590
EUVD
EUVD-2026-20515
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
redhat quay 3.0.0
redhat mirror_registry_for_red_hat_openshift *
redhat mirror_registry_for_red_hat_openshift 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32590 is a remote code execution vulnerability in Red Hat Quay version 3.12.x, specifically in the Mirror Registry component used in OpenShift.

The flaw arises from the unsafe use of Python's pickle module to serialize and deserialize hashlib state objects stored in the database during resumable container image layer uploads.

Specifically, the database fields `sha_state` and `piece_sha_state` in the `BlobUpload` model hold in-progress SHA-256 and SHA-1 hash states, and if these are tampered with, an attacker can execute arbitrary code on the Quay server.

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary code on the Red Hat Quay server.

An attacker can exploit this by being logged into the web application or by initiating podman execution from the host, potentially leading to full compromise of the affected system.

The impact includes complete control over the server, which can lead to data breaches, service disruption, or further attacks within the network.

Detection Guidance

This vulnerability is related to the unsafe deserialization of data in the Red Hat Quay database, specifically in the `sha_state` and `piece_sha_state` fields of the `BlobUpload` model. Detection involves checking if your Red Hat Quay instance is running a vulnerable version (3.12.x) and if the Mirror Registry component is in use.

Since the vulnerability involves exploitation through the web application or podman execution, monitoring unusual or unauthorized access to the Quay web interface or suspicious podman commands could help detect exploitation attempts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include verifying if your Red Hat Quay deployment is version 3.12.x and upgrading to a patched version once available.

Restrict access to the Quay web application and limit podman execution privileges on the host to trusted users only, as exploitation requires either web login or podman execution.

Monitor and audit database fields related to resumable uploads (`sha_state` and `piece_sha_state`) for any suspicious or tampered data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32590. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart