{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32590", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-12T14:39:53.657Z", "datePublished": "2026-04-08T17:04:22.870Z", "dateUpdated": "2026-04-21T23:33:34.858Z"}, "containers": {"cna": {"title": "Mirror-registry: remote code execution using pickle deserialization", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server."}], "affected": [{"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:1"]}, {"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat Quay 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quay/quay-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quay:3"]}, {"vendor": "Red Hat", "product": "Red Hat Quay 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quay/quay-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quay:3"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-32590", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446964", "name": "RHBZ#2446964", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-08T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data", "timeline": [{"lang": "en", "time": "2026-03-12T14:43:11.443Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-21T23:33:34.858Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:14:47.764287Z", "id": "CVE-2026-32590", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:14:55.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32590", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T19:14:47.764287Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:14:52.191Z"}}], "cna": {"title": "Mirror-registry: remote code execution using pickle deserialization", "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:mirror_registry:1"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:mirror_registry:2"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quay:3"], "vendor": "Red Hat", "product": "Red Hat Quay 3", "packageName": "quay/quay-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quay:3"], "vendor": "Red Hat", "product": "Red Hat Quay 3", "packageName": "quay/quay-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-03-12T14:43:11.443Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-08T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-32590", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446964", "name": "RHBZ#2446964", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-21T23:33:34.858Z"}, "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data"}}, "cveMetadata": {"cveId": "CVE-2026-32590", "state": "PUBLISHED", "dateUpdated": "2026-04-21T23:33:34.858Z", "dateReserved": "2026-03-12T14:39:53.657Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-08T17:04:22.870Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:*:*:*:*:*:*:*", "matchCriteriaId": "63757310-FC5B-44E6-9211-36269827BC56", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "281E6AA4-1E08-488F-BA7A-F0BE7CF42A5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server."}], "id": "CVE-2026-32590", "lastModified": "2026-04-21T23:20:52.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T18:25:59.947", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-32590"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446964"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.", "bugzilla": {"description": "mirror-registry: remote code execution using pickle deserialization", "id": "2446964", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446964"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server."], "name": "CVE-2026-32590", "package_state": [{"cpe": "cpe:/a:redhat:mirror_registry:1", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:mirror_registry:2", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32590\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32590"], "statement": "Exploitation requires valid login credentials. The attacker must be authenticated to the registry, either through the web interface or through a container tool such as Podman.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "mirror registry for Red Hat OpenShift", "source": "cna", "vendor": "Red Hat"}, "product": "mirror_registry", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Quay 3", "source": "cna", "vendor": "Red Hat"}, "product": "quay", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-08T18:51:26.525301+00:00", "value": {"mitigation_remediation": ["Apply the latest Red\u202fHat Quay 3 update that addresses the deserialization issue.\u00a0", "Upgrade the mirror registry for OpenShift to a version that has patched the upload handling flaw.\u00a0", "If a patch is not available, restrict network access to the upload endpoint so only trusted hosts can submit image layers.\u00a0", "Monitor the upload logs for abnormal activity and audit the database for suspicious serialized objects.\u00a0", "Contact Red\u202fHat support for guidance if remediation steps are unclear."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects Red\u202fHat Quay version\u202f3 and the Red\u202fHat mirror registry used in OpenShift, with affected releases identified as mirror registry 1 and 2. Users deploying these components without a recent fix are vulnerable.", "description_and_impact": "The vulnerability lies in how Red\u202fHat Quay handles resumable container image layer uploads. During the upload process the server stores intermediate data in its database in a serialized format that is not properly safeguarded. If an attacker can modify that serialized payload, the deserialization step can trigger arbitrary code execution on the Quay host, exposing the system to full compromise. The weakness is a classic unsafe deserialization flaw, classified as CWE\u2011502.", "risk_and_exploitability": "The CVSS base score is 7.1, indicating a high severity. EPSS data is not yet available, and the vulnerability is not in the KEV catalog, suggesting no mass exploitation yet. Nevertheless, the attack vector requires that an attacker be able to inject a crafted payload into the upload workflow, which is feasible for internal threat actors or compromised clients. Once exploited, the attacker can run arbitrary code with the permissions of the Quay service, potentially leading to full system takeover."}}}}, "created": "2026-04-08T19:38:57.279128+00:00", "updated": "2026-04-09T08:18:40.922803+00:00", "vendors": ["redhat", "redhat$PRODUCT$mirror_registry", "redhat$PRODUCT$quay"]}