{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/redhat-quay/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32590"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-32590","redhat-quay","deserialization","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRed Hat Quay is vulnerable to a critical deserialization flaw, identified as CVE-2026-32590. This vulnerability resides in the handling of resumable container image layer uploads. Specifically, the way Quay stores intermediate data in its database during the upload process is susceptible to tampering. An attacker with the ability to manipulate this stored data can leverage this vulnerability to inject malicious serialized objects. When Quay attempts to deserialize this tampered data, it leads to arbitrary code execution within the Quay server\u0026rsquo;s context. This poses a significant risk to the integrity and confidentiality of the container registry. The vulnerability was reported on April 8, 2026, and affects deployments of Red Hat Quay that have not been patched. Successful exploitation allows attackers to gain full control over the Quay server, potentially leading to data breaches, service disruption, and supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the Quay server\u0026rsquo;s database or the mechanism used to store intermediate data during resumable uploads, potentially through SQL injection or other database vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts a container image layer upload request to the Quay server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a serialized object designed to execute arbitrary code upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the intermediate data stored in the database associated with the targeted resumable upload.\u003c/li\u003e\n\u003cli\u003eThe Quay server, during the process of resuming the upload, retrieves the tampered intermediate data from the database.\u003c/li\u003e\n\u003cli\u003eThe Quay server attempts to deserialize the data, triggering the execution of the malicious code embedded within the crafted serialized object.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the Quay server with the privileges of the Quay application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to compromise the entire Quay registry, potentially exfiltrating sensitive data, injecting malicious images, or disrupting the service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32590 allows for arbitrary code execution on the Red Hat Quay server. This can lead to a complete compromise of the container registry, potentially affecting all container images stored within. Depending on the Quay server\u0026rsquo;s configuration and connected systems, this could lead to further lateral movement within the network and compromise of other critical infrastructure. The severity is rated as HIGH with a CVSS score of 7.1, indicating a significant risk. If exploited, organizations could face data breaches, supply chain attacks through compromised container images, and prolonged service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a fixed version of Red Hat Quay as recommended by Red Hat to address CVE-2026-32590.\u003c/li\u003e\n\u003cli\u003eImplement database access controls to restrict unauthorized access and modification of the Quay database to prevent tampering with intermediate data.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) to inspect and filter potentially malicious payloads in container image layer upload requests to mitigate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable robust logging and monitoring of database access and deserialization operations within the Quay server to detect suspicious activities related to this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Quay Deserialization Attempt\u003c/code\u003e to identify potential exploitation attempts based on process execution and network connections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T18:25:59Z","date_published":"2026-04-08T18:25:59Z","id":"/briefs/2026-04-redhat-quay-rce/","summary":"CVE-2026-32590 describes a deserialization vulnerability in Red Hat Quay's handling of resumable container image layer uploads, potentially allowing an attacker to execute arbitrary code on the Quay server by tampering with intermediate data stored in the database.","title":"Red Hat Quay Deserialization Vulnerability Leads to Remote Code Execution (CVE-2026-32590)","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-quay-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Redhat-Quay","version":"https://jsonfeed.org/version/1.1"}