CVE-2026-10517
Awaiting Analysis Awaiting Analysis - Queue
Clair Fetcher Component Server-Side Request Forgery

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Red Hat, Inc.

Description
A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints. The SSRF is reflective for non-200 responses, leaking up to 256 bytes of error body content via CheckResponse error messages. Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to the unauthenticated attack vector.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10517
EUVD
EUVD-2026-33599
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
red_hat clair *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in the Clair fetcher component that allows an attacker to make outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without any filtering on IP addresses or URI schemes.

If Pre-Shared Key (PSK) authentication is not configured (which is optional and not enforced by default), an unauthenticated attacker can submit a manifest containing a URI that points to internal services or cloud metadata endpoints.

This results in a Server-Side Request Forgery (SSRF) vulnerability where the attacker can cause the server to make requests on their behalf and leak up to 256 bytes of error response content when the response is not HTTP 200.

However, Red Hat Quay deployments that are operator-managed automatically configure PSK and are not vulnerable to this unauthenticated attack.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to perform SSRF attacks, potentially accessing internal services or cloud metadata endpoints that should not be exposed.

Through this, the attacker may gain sensitive information leaked in error messages (up to 256 bytes), which could be used for further attacks or reconnaissance.

The impact is limited to confidentiality as indicated by the CVSS score, with no direct impact on integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, ensure that PSK authentication is configured and enforced in Clair deployments, as the unauthenticated attack vector is only possible when PSK authentication is not configured.

Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to this vulnerability, so using such managed deployments can also mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart