CVE-2026-32589 Overview
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload.
Critical Impact
Authenticated attackers can compromise the integrity and confidentiality of container images being uploaded by other users across the entire registry, bypassing repository-level access controls.
Affected Products
- Red Hat Quay (container registry)
Discovery Timeline
- April 8, 2026 - CVE-2026-32589 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-32589
Vulnerability Analysis
This vulnerability represents an Insecure Direct Object Reference (IDOR) flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability exists within Red Hat Quay's container image upload handling mechanism, where insufficient authorization checks allow authenticated users to access and manipulate upload sessions belonging to other users.
The attack requires network access and an authenticated session with push privileges to at least one repository on the Quay instance. Despite requiring user interaction and having a high attack complexity, the vulnerability enables cross-tenant interference in a multi-user container registry environment. The scope change indicates that the vulnerability impacts resources beyond the vulnerable component's authorization boundary.
Root Cause
The root cause of this vulnerability lies in improper authorization validation during the image upload process. When handling in-progress uploads, Red Hat Quay fails to adequately verify that the requesting user has authorization for the specific upload session they are attempting to access. Instead of enforcing repository-level access controls on individual upload operations, the system appears to only verify that a user has push access to any repository, allowing them to interact with upload sessions across the entire registry.
This authorization bypass through user-controlled keys (CWE-639) occurs when the application uses user-supplied input to determine which resources to access without properly validating that the user is authorized for the specific resource.
Attack Vector
The attack leverages network-accessible endpoints in the Quay registry API. An authenticated attacker with legitimate push access to any repository can enumerate or guess upload session identifiers for other users' in-progress uploads. Once identified, the attacker can:
- Read image data - Access container image layers and manifests being uploaded by other users, potentially exposing proprietary code or sensitive configuration
- Modify uploads - Inject malicious layers or modify image content during the upload process, enabling supply chain attacks
- Cancel uploads - Disrupt legitimate operations by terminating other users' upload sessions
The attack mechanism involves intercepting or manipulating API requests to the blob upload endpoints, substituting session identifiers to target other users' upload operations. For detailed technical information, refer to the Red Hat Bug Report #2446963.
Detection Methods for CVE-2026-32589
Indicators of Compromise
- Unusual API access patterns showing a single user interacting with upload sessions across multiple unrelated repositories
- Authentication logs indicating users accessing blob upload endpoints for repositories they do not own
- Failed or interrupted image uploads reported by legitimate users with unexplained causes
Detection Strategies
- Monitor Quay API logs for cross-repository blob upload access attempts from single authenticated sessions
- Implement anomaly detection for users accessing upload endpoints at rates inconsistent with their typical repository activity
- Alert on authentication events where users access upload sessions for repositories outside their assigned organizational units
Monitoring Recommendations
- Enable detailed audit logging for all blob upload API endpoints in Red Hat Quay
- Configure alerts for upload session access that crosses repository ownership boundaries
- Review and correlate interrupted upload events with concurrent access from other authenticated users
How to Mitigate CVE-2026-32589
Immediate Actions Required
- Review current Quay access controls and minimize the number of users with push access to repositories
- Monitor for suspicious upload activity patterns using API audit logs
- Implement network segmentation to limit registry access to trusted network segments
Patch Information
Red Hat has documented this vulnerability in their security advisory. Organizations running Red Hat Quay should consult the Red Hat CVE Security Advisory for patch availability and upgrade instructions. Apply vendor-supplied patches as soon as they become available.
Workarounds
- Restrict push access to only essential users and service accounts until patches are applied
- Implement additional network-level controls to limit API access to the Quay registry
- Consider temporarily disabling concurrent uploads if operationally feasible
- Deploy web application firewall rules to detect and block suspicious upload session manipulation attempts
# Review current users with push access to repositories
# Audit and restrict permissions as needed
# Example: List repository permissions (consult Quay documentation for actual commands)
quay-admin list-permissions --output-format=json > repository_permissions_audit.json
# Enable enhanced API audit logging
# Configure in Quay configuration file
cat >> /conf/stack/config.yaml << EOF
FEATURE_EXTENDED_AUDIT_LOGGING: true
ACTION_LOG_ARCHIVE_LOCATION: /var/log/quay/audit/
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
