CVE-2026-32590

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:24833
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:28441
https://access.redhat.com/security/cve/CVE-2026-32590	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2446964	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:::::::*
	cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:::::::*
	cpe:2.3:a:redhat:quay:3.0.0:::::::*

History

23 Jun 2026, 18:17

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:28441 -

09 Jun 2026, 17:17

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:24853 -

09 Jun 2026, 14:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:24833 -

04 Jun 2026, 16:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:23361 -

03 Jun 2026, 14:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:22840 -

03 Jun 2026, 06:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:22629 -

02 Jun 2026, 16:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:22465 -

28 May 2026, 03:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:21017 -

20 May 2026, 04:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:19375 -

21 Apr 2026, 23:20

Type	Values Removed	Values Added
First Time		Redhat Redhat mirror Registry For Red Hat Openshift Redhat quay
CPE		cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:::::::* cpe:2.3:a:redhat:quay:3.0.0:::::::* cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:::::::*
References	~~() https://access.redhat.com/security/cve/CVE-2026-32590 -~~	() https://access.redhat.com/security/cve/CVE-2026-32590 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2446964 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2446964 - Issue Tracking, Vendor Advisory

08 Apr 2026, 18:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 18:25

Updated : 2026-06-23 18:17

NVD link : CVE-2026-32590

Mitre link : CVE-2026-32590

CVE.ORG link : CVE-2026-32590

JSON object : View

Products Affected

redhat

mirror_registry_for_red_hat_openshift
quay

CWE

CWE-502

Deserialization of Untrusted Data

7.1 /10