← back
CVE-2026-32591

Mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration

CVSS 5.2 MEDIUMEPSS 0.3%CWE-918
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.2EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
08 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N