CVE-2026-32590
Deserialization Flaw in Red Hat Quay Enables Remote Code Execution
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | quay | 3.0.0 |
| redhat | mirror_registry_for_red_hat_openshift | * |
| redhat | mirror_registry_for_red_hat_openshift | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32590 is a remote code execution vulnerability in Red Hat Quay version 3.12.x, specifically in the Mirror Registry component used in OpenShift.
The flaw arises from the unsafe use of Python's pickle module to serialize and deserialize hashlib state objects stored in the database during resumable container image layer uploads.
Specifically, the database fields `sha_state` and `piece_sha_state` in the `BlobUpload` model hold in-progress SHA-256 and SHA-1 hash states, and if these are tampered with, an attacker can execute arbitrary code on the Quay server.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary code on the Red Hat Quay server.
An attacker can exploit this by being logged into the web application or by initiating podman execution from the host, potentially leading to full compromise of the affected system.
The impact includes complete control over the server, which can lead to data breaches, service disruption, or further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to the unsafe deserialization of data in the Red Hat Quay database, specifically in the `sha_state` and `piece_sha_state` fields of the `BlobUpload` model. Detection involves checking if your Red Hat Quay instance is running a vulnerable version (3.12.x) and if the Mirror Registry component is in use.
Since the vulnerability involves exploitation through the web application or podman execution, monitoring unusual or unauthorized access to the Quay web interface or suspicious podman commands could help detect exploitation attempts.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include verifying if your Red Hat Quay deployment is version 3.12.x and upgrading to a patched version once available.
Restrict access to the Quay web application and limit podman execution privileges on the host to trusted users only, as exploitation requires either web login or podman execution.
Monitor and audit database fields related to resumable uploads (`sha_state` and `piece_sha_state`) for any suspicious or tampered data.