What is CVE-2026-32589?

CVE-2026-32589 is a high-severity vulnerability in Red Hat Mirror Registry For Openshift, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 7.4/10. Published 2026-04-08.

How severe is CVE-2026-32589?

High severity. CVSS v3 base score is 7.4 out of 10.

Auth bypass in Red Hat Mirror Registry For Openshift

CVE-2026-32589

A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they d…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (17.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.4 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L.

Affected products

Red Hat Mirror Registry For Openshift
Red Hat Mirror Registry For Openshift 2
Red Hat Quay 3
Red Hat Quay 3.1 — versions 1779822261
Red Hat Quay 3.12 — versions 1779811412
Red Hat Quay 3.14 — versions 1779689392
Red Hat Quay 3.16 — versions 1779204086
Red Hat Quay 3.17 — versions 1779922205
Redhat Mirror_registry_for_red_hat_openshift — versions 2.0
Redhat Quay — versions 3.0.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

secalert@redhat.com (x_refsource_REDHAT, vdb-entry, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, issue-tracking, Issue Tracking, Vendor Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)

Frequently asked questions

What is CVE-2026-32589?: CVE-2026-32589 is a high-severity vulnerability in Red Hat Mirror Registry For Openshift, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 7.4/10. Published 2026-04-08.
How severe is CVE-2026-32589?: High severity. CVSS v3 base score is 7.4 out of 10.