{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32591", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-12T14:39:53.657Z", "datePublished": "2026-04-08T17:06:58.222Z", "dateUpdated": "2026-04-08T17:06:58.222Z"}, "containers": {"cna": {"title": "Mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application."}], "affected": [{"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:1"]}, {"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat Quay 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quay/quay-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quay:3"]}, {"vendor": "Red Hat", "product": "Red Hat Quay 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quay/quay-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quay:3"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-32591", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446965", "name": "RHBZ#2446965", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-08T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)", "timeline": [{"lang": "en", "time": "2026-03-12T15:09:38.210Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-08T17:06:58.222Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application."}], "id": "CVE-2026-32591", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-08T18:26:00.107", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-32591"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446965"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.", "bugzilla": {"description": "mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration", "id": "2446965", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446965"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application."], "name": "CVE-2026-32591", "package_state": [{"cpe": "cpe:/a:redhat:mirror_registry:1", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:mirror_registry:2", "fix_state": "Affected", "package_name": "openshift/mirror-registry-rhel8", "product_name": "mirror registry for Red Hat OpenShift 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32591\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32591"], "statement": "Exploitation requires the attacker to be authenticated as an organization administrator.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "mirror registry for Red Hat OpenShift", "source": "cna", "vendor": "Red Hat"}, "product": "mirror_registry", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}, {"score": 96.0, "source": "matching"}]}, "original": {"product": "Red Hat Quay 3", "source": "cna", "vendor": "Red Hat"}, "product": "quay", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-08T18:51:05.811233+00:00", "value": {"mitigation_remediation": ["Check the Red\u00a0Hat security announcement linked in the CVE references and apply the vendor\u2011supplied patch or upgrade to the latest Quay or mirror registry version that removes the vulnerability.", "If a patch is not yet available, restrict organization\u2011administrator privileges so that only trusted individuals can configure proxy cache upstream registries.", "Consider disabling the proxy cache feature or enforcing a whitelist of allowed upstream registry hostnames to prevent arbitrary outbound connections."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery (unauthorized network access)"}, "threat_synthesis": {"affected_systems": "Red Hat Quay version 3 and the Red Hat mirror registry components for OpenShift, including mirror registry 1 and mirror registry 2. These components are commonly deployed on OpenShift clusters and are responsible for handling container image distribution and caching.", "description_and_impact": "Quay\u2019s proxy\u2011cache feature allows an organization administrator to specify an upstream registry for caching. The application does not validate the supplied hostname, allowing the administrator to provide a crafted address that forces Quay to establish an outgoing connection to any target reachable from the Quay host. Consequently, sensitive internal services, cloud\u2011infrastructure endpoints, and other normally protected resources may be queried or even accessed by the attacker. This vulnerability enables the exfiltration of private data or the exploitation of services that are not intended to be exposed, representing a moderate\u2011severity security risk. The weakness is identified as a server\u2011side request forgery (CWE\u2011918).", "risk_and_exploitability": "The CVSS score of 5.2 indicates moderate severity, and the exploit requires organization\u2011administrator privileges to inject the malicious hostname. Because the attack vector is not publicly reachable without privileged configuration access, the overall risk is moderate, with some dependency on internal access controls. No publicly available exploit data or KEV listing is present, and EPSS data is not available. The risk is mainly driven by the lack of hostname validation and the potential to reach unintended internal resources."}}}}, "created": "2026-04-08T19:38:56.030110+00:00", "updated": "2026-04-09T08:18:39.936108+00:00", "vendors": ["redhat", "redhat$PRODUCT$mirror_registry", "redhat$PRODUCT$quay"]}