PatchSiren cyber security CVE debrief

CVE-2026-32589 Red Hat CVE debrief

A vulnerability in Red Hat Quay's container image upload process allows authenticated users with push access to any repository to interfere with in-progress image uploads by other users, including those in repositories they do not have access to. This interference could enable an attacker to read, modify, or cancel another user's upload. The issue was published on 2026-04-08 and last modified on 2026-05-28. The vulnerability affects Mirror Registry for Red Hat OpenShift and Red Hat Quay 3.0.0. Red Hat has issued security advisories RHSA-2026:19375 and RHSA-2026:21017 to address this flaw. The weakness is categorized as CWE-639 (Authorization Bypass Through User-Controlled Key).

Vendor: Red Hat
Product: Red Hat Quay 3.14
CVSS: HIGH 7.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-08
Original CVE updated: 2026-05-28
Advisory published: 2026-04-08
Advisory updated: 2026-05-28

Who should care

Organizations running Red Hat Quay or Mirror Registry for Red Hat OpenShift with multi-tenant registry deployments where users from different trust boundaries share the same registry instance. Security teams responsible for container supply chain integrity and DevOps teams managing container image build and push pipelines.

Technical summary

The vulnerability exists in the image upload handling logic of Red Hat Quay, where insufficient authorization checks allow authenticated users with push access to any repository to identify and manipulate upload sessions belonging to other users. The upload process appears to use identifiers that can be predicted or accessed across repository boundaries, enabling an attacker to read partial upload content, modify uploads in progress, or cancel uploads they do not own. This represents an authorization bypass (CWE-639) where user-controlled keys (upload session identifiers) are not properly validated against the requesting user's repository permissions. The CVSS 3.1 score of 7.4 reflects network accessibility, low attack complexity, required low privileges, and impacts across confidentiality, integrity, and availability with a changed scope indicating potential impact beyond the attacker's authorized resources.

Defensive priority

HIGH

Recommended defensive actions

Apply Red Hat security advisories RHSA-2026:19375 and RHSA-2026:21017 as soon as possible
Review repository access controls to ensure principle of least privilege for push permissions
Monitor upload logs for anomalous interference patterns
Validate image integrity through digest verification after upload completion
Consider implementing additional upload session isolation controls pending full patch deployment

Evidence notes

Vulnerability description and affected products confirmed via NVD CPE data and Red Hat security advisories. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L yields score 7.4 (HIGH). CWE-639 classification provided by Red Hat.

Official resources

CVE-2026-32589 CVE record
CVE.org
CVE-2026-32589 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory

2026-04-08