Mirror-registry: remote code execution using pickle deserialization

CVE	CVE-2026-32590
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-08 18:25:59 UTC
Updated	2026-04-08 21:26:13 UTC
Description	A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

Primary CVSS: v3.1 7.1 HIGH from [email protected]

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem Types: CWE-502 | CWE-502 Deserialization of Untrusted Data

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H`
3.1	CNA	CVSS	7.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H`

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Red Hat	Mirror Registry For Red Hat OpenShift	Not specified	Not specified
CNA	Red Hat	Mirror Registry For Red Hat OpenShift 2	Not specified	Not specified
CNA	Red Hat	Red Hat Quay 3	Not specified	Not specified
CNA	Red Hat	Red Hat Quay 3	Not specified	Not specified

Reference	Source	Link	Tags
access.redhat.com/security/cve/CVE-2026-32590	[email protected]	access.redhat.com
bugzilla.redhat.com/show_bug.cgi	[email protected]	bugzilla.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue. (en)

Source	Time	Event
CNA	2026-03-12T14:43:11.443Z	Reported to Red Hat.
CNA	2026-04-08T00:00:00.000Z	Made public.

There are currently no legacy QID mappings associated with this CVE.