CVE-2026-32590

High

Published: 08 April 2026

Published

08 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on…

the Quay server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization flaw in Quay's resumable upload handling by identifying, patching, and deploying fixes to prevent arbitrary code execution.

SI-10 Information Input Validation good match

prevent

Validates intermediate upload data stored in the database before deserialization to block tampered payloads from triggering arbitrary code execution.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Verifies the integrity of intermediate layer data in the database using checksums or hashes to detect and prevent processing of tampered serialized content.

Security SummaryAI

CVE-2026-32590 is a deserialization vulnerability (CWE-502) in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-08.

An attacker with low privileges (PR:L), such as an authenticated Quay user, could exploit this over the network (AV:N) by tampering with the intermediate upload data stored in the database. Exploitation requires high attack complexity (AC:H) and user interaction (UI:R), potentially tricking a user into initiating or resuming a malicious upload. Successful exploitation enables arbitrary code execution on the Quay server with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), but with unchanged scope (S:U).

Mitigation details, including patches and advisories, are available in the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2026-32590 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2446964.

Details

CWE(s): CWE-502

Affected Products

redhat

mirror registry for red hat openshift

2.0, all versions

redhat

quay

3.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Deserialization flaw in publicly exposed Quay registry service directly enables remote code execution via crafted upload data, mapping to exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://access.redhat.com/security/cve/CVE-2026-32590
Vendor Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2446964
Issue Tracking, Vendor Advisory · secalert@redhat.com