HIGHCVE-2026-32589Published Modified CNA redhat
CVE-2026-32589: Mirror-registry: quay: insecure direct object reference in blobupload
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Metrics
- CVSS v3.1
- 7.4
- Severity
- HIGH
- Fixed in
- 1779204086
- Affected Products
- 4
Fix available
17792040861779689392
Affected packages
- Red Hat / Red Hat Quay 3.14Fixed in 1779689392
- Red Hat / Red Hat Quay 3.16Fixed in 1779204086
- Red Hat / mirror registry for Red Hat OpenShift
- Red Hat / mirror registry for Red Hat OpenShift 2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L