2.7
CVE-2026-10078
- EPSS 0.2%
- Veröffentlicht 29.05.2026 09:30:30
- Zuletzt bearbeitet 29.05.2026 14:06:47
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring
A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
≫
Produkt
Red Hat Quay 3
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Quay 3
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.094 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 2.7 | 1.2 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
|
CWE-598 Use of HTTP Request With Sensitive Query String
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
https://access.redhat.com/security/cve/CVE-2026-10078
https://bugzilla.redhat.com/show_bug.cgi?id=2483168