Home

Description

A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.

PUBLISHED Reserved 2026-03-12 | Published 2026-04-08 | Updated 2026-04-08 | Assigner redhat




HIGH: 7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-03-12:Reported to Red Hat.
2026-04-08:Made public.

Credits

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-32589 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2446963 (RHBZ#2446963) issue-tracking

cve.org (CVE-2026-32589)

nvd.nist.gov (CVE-2026-32589)

Download JSON