The default CSRF SECRET_KEY in mirror-registry is stored in plain-text on the jinja's config.yaml file, leaving the possibility of every mirror-registry installation which hasn't changed it to have the same SECRET_KEY. The CSRF SECRET_KEY is used to encrypt the session cookie and the CSRF used to interpret the user sessions. A successful attack may lead to account takeover in the quay instance.