Code Execution via Malformed Resumable Uploads in Red Hat Quay
CVE-2026-32590 Published on April 8, 2026

Mirror-registry: remote code execution using pickle deserialization
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

NVD

Vulnerability Analysis

CVE-2026-32590 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 27 days later.

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-32590 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2026-32590

stack.watch emails you whenever new vulnerabilities are published in Red Hat Mirror Registry or Red Hat Quay. Just hit a watch button to start following.

Red Hat Mirror Registry
 
Red Hat Quay
 

Affected Versions

mirror registry for Red Hat OpenShift: mirror registry for Red Hat OpenShift 2: Red Hat Quay 3: Red Hat Quay 3: