Cyber Resilience

CVE-2026-32590

HighRCEUpdated

Published: 08 April 2026

Published
08 April 2026
Modified
23 June 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0041 33.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32590 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Redhat Mirror Registry For Red Hat Openshift. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32590 is a deserialization vulnerability (CWE-502) in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-08.

An attacker with low privileges (PR:L), such as an authenticated Quay user, could exploit this over the network (AV:N) by tampering with the intermediate upload data stored in the database. Exploitation requires high attack complexity (AC:H) and user interaction (UI:R), potentially tricking a user into initiating or resuming a malicious upload. Successful exploitation enables arbitrary code execution on the Quay server with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), but with unchanged scope (S:U).

Mitigation details, including patches and advisories, are available in the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2026-32590 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2446964.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on…

more

the Quay server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization flaw in publicly exposed Quay registry service directly enables remote code execution via crafted upload data, mapping to exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32589Same product: Redhat Mirror Registry For Red Hat Openshift
CVE-2026-28369Same vendor: Redhat
CVE-2026-28367Same vendor: Redhat
CVE-2026-28368Same vendor: Redhat
CVE-2025-12543Same vendor: Redhat
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502

Affected Assets

redhat
mirror registry for red hat openshift
2.0, all versions
redhat
quay
3.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the deserialization flaw in Quay's resumable upload handling by identifying, patching, and deploying fixes to prevent arbitrary code execution.

prevent

Validates intermediate upload data stored in the database before deserialization to block tampered payloads from triggering arbitrary code execution.

preventdetect

Verifies the integrity of intermediate layer data in the database using checksums or hashes to detect and prevent processing of tampered serialized content.

References