Red Hat Quay Auth User Interferes with in-progress Image Upload
CVE-2026-32589 Published on April 8, 2026
Mirror-registry: quay: insecure direct object reference in blobupload
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Vulnerability Analysis
CVE-2026-32589 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and a small impact on availability.
Timeline
Reported to Red Hat.
Made public. 27 days later.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-32589 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-32589
stack.watch emails you whenever new vulnerabilities are published in Red Hat Mirror Registry or Red Hat Quay. Just hit a watch button to start following.
