CVE-2026-32590

HIGH

Mirror-registry: remote code execution using pickle deserialization

Title source: cna
STIX 2.1

Description

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

References (10)

Core 10
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22465
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22629
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:22840
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:23361
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:24833
https://access.redhat.com/errata/RHSA-2026:24833
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:24853
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-32590
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:19375
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2446964
https://bugzilla.redhat.com/show_bug.cgi?id=2446964
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:21017

Scores

CVSS v3 7.1
EPSS 0.0041
EPSS Percentile 32.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (14)
Red Hat/mirror registry for Red Hat OpenShift
Red Hat/mirror registry for Red Hat OpenShift 2
Red Hat/Red Hat Quay 3
Red Hat/Red Hat Quay 3.1 1779822261
Red Hat/Red Hat Quay 3.12 1779811412
Red Hat/Red Hat Quay 3.14 1779689392
Red Hat/Red Hat Quay 3.15 1780891395
Red Hat/Red Hat Quay 3.16 1779204086
Red Hat/Red Hat Quay 3.17 1779922205
Red Hat/Red Hat Quay 3.17 1780604033
... and 4 more
Published Apr 08, 2026
Tracked Since Apr 08, 2026