7.4
CVE-2026-32589
- EPSS 0.24%
- Veröffentlicht 08.04.2026 17:04:20
- Zuletzt bearbeitet 01.07.2026 13:17:03
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Mirror-registry: quay: insecure direct object reference in blobupload
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Mirror Registry For Red Hat Openshift Version-
Redhat ≫ Mirror Registry For Red Hat Openshift Version2.0
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.152 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
|
| secalert@redhat.com | 7.4 | 3.1 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.4 | 3.1 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://access.redhat.com/security/cve/CVE-2026-32589
https://bugzilla.redhat.com/show_bug.cgi?id=2446963
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:22629
https://access.redhat.com/errata/RHSA-2026:22840
https://access.redhat.com/errata/RHSA-2026:23361
https://access.redhat.com/errata/RHSA-2026:24853
https://access.redhat.com/errata/RHSA-2026:28441
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32589.json