PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10052 Red Hat CVE debrief

A medium-severity vulnerability in Quay's config-tool allows authenticated attackers with config editor privileges to conduct internal network reconnaissance. The LDAP and SMTP validation functions make outbound connections to attacker-supplied endpoints without adequate IP or host filtering, enabling Server-Side Request Forgery (SSRF) from the Quay pod's network position. This flaw was disclosed on 2026-05-29 and is classified under CWE-918.

Vendor
Red Hat
Product
Red Hat Quay 3
CVSS
MEDIUM 4.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running Quay container registries, particularly those with multi-tenant or broadly delegated configuration access. Security teams responsible for container platform hardening, network segmentation, and SSRF prevention in Kubernetes or OpenShift environments. Red Hat customers using Quay should monitor vendor advisories for patch availability.

Technical summary

CVE-2026-10052 is a Server-Side Request Forgery vulnerability in the Quay container registry's config-tool. The LDAP and SMTP validation routines accept user-supplied endpoints and initiate outbound connections without sufficient IP address or hostname filtering. An attacker with config editor privileges can supply internal or restricted endpoints, causing the Quay pod to connect to arbitrary targets. This exposes the pod's network position for internal reconnaissance, allowing attackers to probe and map internal infrastructure that would otherwise be unreachable from their position. The attack requires high privileges and has low complexity, with changed scope indicating impact beyond the vulnerable component's security authority.

Defensive priority

medium

Recommended defensive actions

  • Restrict config editor access to highly trusted administrators only; this vulnerability requires high privileges (PR:H) to exploit.
  • Review and implement network egress policies for Quay pods to limit outbound connectivity to only necessary endpoints, reducing the impact of SSRF from the pod's network position.
  • Monitor for anomalous outbound connection attempts from Quay pods, particularly to internal IP ranges or unexpected external destinations during config validation operations.
  • Apply vendor patches when available; track the Red Hat Bugzilla entry for remediation updates.
  • Validate that any custom or downstream implementations of config-tool LDAP/SMTP validation incorporate proper allowlisting of permitted endpoints and restrict connections to expected infrastructure only.

Evidence notes

The vulnerability description indicates that config-tool validation functions for LDAP and SMTP lack proper filtering on user-supplied endpoints. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) reflects network attack vector, low complexity, high privileges required, no user interaction, changed scope, and low confidentiality impact. The weakness is identified as CWE-918 (Server-Side Request Forgery). Vendor attribution to Red Hat is indicated by source references, though the vendor field carries low confidence and a review flag.

Official resources

2026-05-29