Bug 2446965 (CVE-2026-32591)

Summary: CVE-2026-32591 mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, doconnor, security-response-team, teagle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-04-15   

Description OSIDB Bzimport 2026-03-12 15:14:01 UTC
A Server-Side Request Forgery (SSRF) vulnerability was identified in Red Hat Quay v3.12.x within the Proxy Cache configuration feature. An authenticated organization administrator can supply an attacker-controlled hostname as the upstream_registry parameter when creating or validating a proxy cache configuration. Quay instantiates a network connection to the supplied hostname with no validation against internal address ranges, private IP space, or cloud metadata endpoints.

Requirements to exploit: Attacker needs to be logged into the web app / initiate podman execution from host.

Component affected:
Mirror Registry for OpenShift – Proxy Cache configuration feature
Quay deployed on OpenShift 4.20 – Proxy Cache configuration feature

Version affected: latest releases