CVE-2026-10052
LDAP and SMTP Endpoint Exposure in Quay config-tool
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | quay | to 3.17 (exc) |
| redhat | quay | From 3.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10052 is a vulnerability in the Quay config-tool's LDAP and SMTP validation functions. These functions make outbound connections to user-supplied endpoints without proper IP or host filtering, allowing an attacker with config editor access to exploit this flaw.
Specifically, the vulnerability allows Server-Side Request Forgery (SSRF) attacks, where the attacker can make the Quay pod connect to internal network resources. This can be used to perform internal network reconnaissance, potentially mapping the internal network infrastructure.
The issue arises because the validation functions use network calls (net.DialTimeout for SMTP and ldap.DialURL for LDAP) without restricting the targets, and the LDAP validator also accepts the ldapi:// scheme and reflects LDAP result codes in error messages, which could leak sensitive information.
In Quay versions 3.16 or earlier, the config editor web application was accessible via HTTP Basic Auth, increasing the attack surface. In later versions (3.17+), the web editor was removed, limiting the attack vector to CLI or container startup scenarios.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with config editor access to perform internal network reconnaissance from the Quay pod's network position.
Such reconnaissance can reveal details about your internal network infrastructure, potentially exposing sensitive internal services or systems that are not intended to be accessible externally.
Additionally, the LDAP validator's behavior of reflecting LDAP result codes in error messages could expose sensitive information about your LDAP setup.
While the vulnerability has a low severity rating (CVSS 4.1), it still poses a risk of information disclosure and internal network mapping, which could be leveraged in further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the Quay config-tool's LDAP and SMTP validation functions are making outbound connections to user-supplied endpoints without proper IP or host filtering.
Specifically, detection involves checking if the config editor access is enabled and if the functions ValidateEmailServer (using net.DialTimeout) and ValidateLDAPServer (using ldap.DialURL) are being invoked with untrusted input.
Commands to detect potential exploitation or presence of this vulnerability could include monitoring network connections from the Quay pod to internal endpoints, for example using:
- netstat -tunp | grep <quay-pod-process>
- tcpdump -i <interface> host <quay-pod-ip> and port <ldap-or-smtp-port>
- Checking logs for unusual LDAP or SMTP validation attempts or errors that reflect LDAP result codes.
Additionally, verifying if the config editor web application is present (in Quay versions 3.16 or earlier) or if CLI/container startup scenarios are used (in 3.17 and later) can help assess exposure.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the config editor web application if running Quay version 3.16 or earlier, as it was removed in version 3.17 to reduce the attack surface.
Restrict access to the config editor to trusted users only, ensuring that only authorized personnel have config editor access.
Implement network-level filtering to prevent the Quay pod from making outbound connections to untrusted or internal endpoints via LDAP or SMTP validation functions.
Upgrade to Quay version 3.17 or later where the config editor web application is removed, reducing the attack vector.
Review and apply any patches or updates provided by the vendor addressing this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.