{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32589", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-12T14:39:53.657Z", "datePublished": "2026-04-08T17:04:20.284Z", "dateUpdated": "2026-04-28T06:09:02.117Z"}, "containers": {"cna": {"title": "Mirror-registry: quay: insecure direct object reference in blobupload", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload."}], "affected": [{"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:1"]}, {"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat Quay 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quay/quay-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quay:3"]}, {"vendor": "Red Hat", "product": "Red Hat Quay 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quay/quay-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quay:3"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-32589", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963", "name": "RHBZ#2446963", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-08T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key", "timeline": [{"lang": "en", "time": "2026-03-12T14:43:07.878Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-28T06:09:02.117Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:01:21.450628Z", "id": "CVE-2026-32589", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:01:32.402Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32589", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T18:01:21.450628Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:01:27.191Z"}}], "cna": {"title": "Mirror-registry: quay: insecure direct object reference in blobupload", "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:mirror_registry:1"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:mirror_registry:2"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quay:3"], "vendor": "Red Hat", "product": "Red Hat Quay 3", "packageName": "quay/quay-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quay:3"], "vendor": "Red Hat", "product": "Red Hat Quay 3", "packageName": "quay/quay-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-03-12T14:43:07.878Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-08T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-32589", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963", "name": "RHBZ#2446963", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-28T06:09:02.117Z"}, "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"}}, "cveMetadata": {"cveId": "CVE-2026-32589", "state": "PUBLISHED", "dateUpdated": "2026-04-28T06:09:02.117Z", "dateReserved": "2026-03-12T14:39:53.657Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-08T17:04:20.284Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:*:*:*:*:*:*:*", "matchCriteriaId": "63757310-FC5B-44E6-9211-36269827BC56", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "281E6AA4-1E08-488F-BA7A-F0BE7CF42A5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload."}], "id": "CVE-2026-32589", "lastModified": "2026-04-28T07:16:03.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "secalert@redhat.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2026-04-08T18:25:59.790", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-32589"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.", "bugzilla": {"description": "mirror-registry: quay: insecure direct object reference in BlobUpload", "id": "2446963", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L", "status": "draft"}, "cwe": "CWE-639", "details": ["A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload."], "name": "CVE-2026-32589", "package_state": [{"cpe": "cpe:/a:redhat:mirror_registry:1", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:mirror_registry:2", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32589\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32589"], "statement": "Exploitation requires valid login credentials to the Quay registry. Unauthenticated users cannot exploit this flaw.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "mirror registry for Red Hat OpenShift 2", "source": "cna", "vendor": "Red Hat"}, "product": "mirror_registry", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 88.0, "source": "matching"}]}, "original": {"product": "Red Hat Quay 3", "source": "cna", "vendor": "Red Hat"}, "product": "quay", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-29T00:32:33.513883+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for Red\u00a0Hat\u00a0Quay\u00a03 or upgrade the mirror registry to a fixed release.", "If a patch is not immediately available, limit push permissions to trusted users or temporarily disable blob uploads for non\u2011trusted accounts.", "Audit current push permissions for security compliance and revoke any unnecessary push rights to enforce the principle of least privilege."], "summary": {"action": "Patch ASAP", "impact": "Unauthorized manipulation of in\u2011progress image uploads"}, "threat_synthesis": {"affected_systems": "All versions of Red\u202fHat\u202fQuay\u202f3 and the mirror registry for Red\u202fHat OpenShift (versions\u202f1\u202fand\u202f2) are affected. The issue applies to any runtime that permits push permissions, regardless of the target repository\u2019s visibility to the attacker.", "description_and_impact": "A flaw in Red Hat Quay\u2019s container image upload process allows an authenticated user with push access to any repository to interfere with another user\u2019s in\u2011progress blob upload. The attacker can read the upload data, modify it, or cancel the transfer, potentially causing corruption or denial of service. This weakness is an example of insecure direct object reference (CWE\u2011639).", "risk_and_exploitability": "The CVSS score of 7.4 indicates a moderate to high severity. The EPSS score is 0.00032 (< 1%), and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker must first authenticate to the registry and possess push rights; no additional privileges or network reachability beyond that are required. The attack vector is therefore network\u2011based but relies on compromised or legitimate accounts with elevated repository permissions."}}}}, "created": "2026-04-08T19:38:58.283762+00:00", "updated": "2026-04-29T00:45:26.150200+00:00", "vendors": ["redhat", "redhat$PRODUCT$mirror_registry", "redhat$PRODUCT$quay"]}