CVE-2026-10517
Clair Fetcher Component Server-Side Request Forgery
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red_hat | clair | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the Clair fetcher component that allows an attacker to make outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without any filtering on IP addresses or URI schemes.
If Pre-Shared Key (PSK) authentication is not configured (which is optional and not enforced by default), an unauthenticated attacker can submit a manifest containing a URI that points to internal services or cloud metadata endpoints.
This results in a Server-Side Request Forgery (SSRF) vulnerability where the attacker can cause the server to make requests on their behalf and leak up to 256 bytes of error response content when the response is not HTTP 200.
However, Red Hat Quay deployments that are operator-managed automatically configure PSK and are not vulnerable to this unauthenticated attack.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to perform SSRF attacks, potentially accessing internal services or cloud metadata endpoints that should not be exposed.
Through this, the attacker may gain sensitive information leaked in error messages (up to 256 bytes), which could be used for further attacks or reconnaissance.
The impact is limited to confidentiality as indicated by the CVSS score, with no direct impact on integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that PSK authentication is configured and enforced in Clair deployments, as the unauthenticated attack vector is only possible when PSK authentication is not configured.
Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to this vulnerability, so using such managed deployments can also mitigate the risk.