CVE-2026-2377 Red Hat CVE debrief

Who should care

Organizations running Mirror Registry for Red Hat OpenShift or Red Hat Quay 3.0.0, particularly those with externally accessible instances and multi-tenant environments where authenticated users may have limited trust boundaries. Security teams responsible for container registry infrastructure and network segmentation should prioritize review.

Technical summary

The Mirror Registry for Red Hat OpenShift contains a log export feature that accepts user-supplied URLs without adequate validation. Authenticated attackers can exploit this by providing specially crafted URLs that cause the application backend to initiate requests to arbitrary internal network destinations. This SSRF vulnerability (CWE-918) enables unauthorized access to sensitive internal information and potentially other internal systems. The attack requires network access and valid authentication credentials but does not require user interaction. The confidentiality impact is rated High, with no direct impact to integrity or availability.

Defensive priority

medium

Recommended defensive actions

• Apply Red Hat security advisory RHSA-2026:19375 when available
• Review and restrict network access for Mirror Registry backend services
• Implement URL validation and allowlisting for log export functionality
• Monitor for anomalous outbound requests from Mirror Registry instances
• Audit authenticated user access to log export features

Evidence notes

Vulnerability description and CVSS data sourced from NVD record. Vendor attribution and affected product versions confirmed via NVD CPE criteria. CWE-918 classification and Red Hat advisory references (RHSA-2026:19375, Bugzilla 2439201) extracted from official NVD reference metadata.

Official resources