PatchSiren cyber security CVE debrief

CVE-2026-32591 Red Hat CVE debrief

A Server-Side Request Forgery (SSRF) vulnerability exists in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, the Quay server establishes network connections to the specified hostname without validating that it resolves to a legitimate external service. This allows an attacker with organization administrator privileges to supply a crafted hostname, forcing the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should be inaccessible from the application. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges required, user interaction required, and unchanged scope, with high confidentiality impact and low integrity impact.

Vendor: Red Hat
Product: Red Hat Quay 3.14
CVSS: MEDIUM 5.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-08
Original CVE updated: 2026-05-28
Advisory published: 2026-04-08
Advisory updated: 2026-05-28

Who should care

Organizations running Red Hat Quay with Proxy Cache enabled, particularly those with multiple organization administrators or shared registry infrastructure. Security teams responsible for container supply chain security, cloud infrastructure administrators, and DevOps teams managing Quay deployments should prioritize review of proxy cache configurations and administrator access controls.

Technical summary

The vulnerability stems from insufficient validation of user-supplied upstream registry hostnames in the Proxy Cache configuration feature. When an organization administrator enters a hostname, Quay performs DNS resolution and establishes TCP connections without verifying the destination is an intended external registry service. This enables SSRF attacks where the server can be coerced into accessing internal IP ranges (RFC 1918), cloud metadata endpoints (169.254.169.254), or other restricted infrastructure. The attack requires high privileges (organization administrator) and user interaction, limiting exploitability but not eliminating risk in multi-tenant or compromised-admin scenarios.

Defensive priority

medium

Recommended defensive actions

Review and restrict organization administrator privileges to trusted personnel only
Implement network segmentation to limit Quay server egress to approved external registry endpoints only
Monitor Quay server outbound network connections for anomalous destinations
Apply Red Hat security advisories RHSA-2026:19375 and RHSA-2026:21017 when available
Validate upstream registry hostnames against an allowlist of approved external services before configuration
Review proxy cache configurations for unauthorized or suspicious upstream registry entries

Evidence notes

Vulnerability description sourced from NVD record published 2026-04-08 and modified 2026-05-28. Vendor advisories and issue tracking available via Red Hat Bugzilla. CPE criteria confirm affected products: Red Hat Mirror Registry for Red Hat OpenShift (including version 2.0) and Red Hat Quay 3.0.0.

Official resources

CVE-2026-32591 CVE record
CVE.org
CVE-2026-32591 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory

2026-04-08