PatchSiren cyber security CVE debrief

CVE-2026-32590 Red Hat CVE debrief

A vulnerability in Red Hat Quay's resumable container image layer upload functionality allows potential arbitrary code execution. The flaw exists in how intermediate upload data is stored in the database; if this data format is tampered with, an attacker could achieve code execution on the Quay server. The vulnerability carries a HIGH severity CVSS 3.1 score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). Red Hat has classified this as CWE-502 (Deserialization of Untrusted Data). The issue was published on April 8, 2026, with the record last modified on May 28, 2026. Affected products include Red Hat Quay 3.0.0 and Mirror Registry for Red Hat OpenShift versions including 2.0. Red Hat has issued security advisories RHSA-2026:19375 and RHSA-2026:21017 to address this vulnerability.

Vendor: Red Hat
Product: Red Hat Quay 3.14
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-08
Original CVE updated: 2026-05-28
Advisory published: 2026-04-08
Advisory updated: 2026-05-28

Who should care

Organizations running Red Hat Quay 3.0.0 or Mirror Registry for Red Hat OpenShift 2.0 for container image storage and distribution. Security teams responsible for container registry infrastructure, DevOps engineers managing Quay deployments, and compliance officers tracking HIGH severity vulnerabilities in supply chain infrastructure should prioritize this patch.

Technical summary

The vulnerability stems from insecure handling of intermediate data during resumable container image layer uploads in Red Hat Quay. The upload process stores partial data in a database format that, when manipulated by an attacker, can lead to deserialization of untrusted data (CWE-502) and subsequent arbitrary code execution on the Quay server. The attack requires network access (AV:N), high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R), with impacts rated HIGH for confidentiality, integrity, and availability. The scope remains unchanged (S:U), indicating the vulnerable component is the impacted component.

Defensive priority

HIGH

Recommended defensive actions

Apply Red Hat security advisories RHSA-2026:19375 and RHSA-2026:21017 as soon as possible to affected Quay and Mirror Registry deployments.
Review database access controls for Quay's upload storage to limit exposure of intermediate upload data.
Monitor for anomalous upload patterns or database access that could indicate attempted exploitation of this deserialization flaw.
Validate that resumable upload functionality is only exposed to authenticated users with appropriate authorization, given the PR:L (Privileges Required: Low) rating.
Consider network segmentation to restrict Quay server access to trusted administrative hosts only.

Evidence notes

The vulnerability description and CVSS vector are sourced from NVD and Red Hat's official security data. CPE criteria confirm affected versions. CWE-502 classification indicates deserialization-related attack vector. The CVSS attack complexity rating of HIGH (AC:H) and required user interaction (UI:R) suggest this is not trivially exploitable but remains serious given the confidentiality, integrity, and availability impacts are all rated HIGH.

Official resources

CVE-2026-32590 CVE record
CVE.org
CVE-2026-32590 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory

Red Hat disclosed this vulnerability through coordinated security advisory release. The issue was tracked in Red Hat Bugzilla (ID 2446964) and addressed through official errata. No known exploitation in ransomware campaigns has been catalog