CVE-2026-32590: Deserialization of Untrusted Data in Red Hat Red Hat Quay 3.16
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
AI Analysis
Technical Summary
This vulnerability arises from improper handling of resumable container image layer uploads in Red Hat Quay 3.16. The upload process stores intermediate data in a database using a format that, if manipulated by an attacker, could lead to arbitrary code execution on the server due to unsafe deserialization. The CVSS v3.1 base score is 7.1, reflecting network attack vector, high impact on confidentiality, integrity, and availability, but requiring high attack complexity, low privileges, and user interaction. Red Hat has published an advisory and released Quay 3.16.4 containing fixes. The vendor advisory does not explicitly state the patch status for this CVE alone but references the updated Quay 3.16.4 release which includes multiple CVE fixes including CVE-2026-32590.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary code on the Red Hat Quay server, compromising confidentiality, integrity, and availability of the system. This could lead to full system compromise of the affected Quay instance. There are no known public exploits in the wild currently.
Mitigation Recommendations
Red Hat has released Red Hat Quay 3.16.4 which includes fixes addressing this vulnerability among others. Users should update to Quay 3.16.4 or later to remediate this issue. Prior to applying this update, ensure all previously released errata relevant to your system have been applied. Patch status is effectively an official fix via the updated Quay release. No additional vendor mitigation guidance is provided.
CVE-2026-32590: Deserialization of Untrusted Data in Red Hat Red Hat Quay 3.16
Description
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from improper handling of resumable container image layer uploads in Red Hat Quay 3.16. The upload process stores intermediate data in a database using a format that, if manipulated by an attacker, could lead to arbitrary code execution on the server due to unsafe deserialization. The CVSS v3.1 base score is 7.1, reflecting network attack vector, high impact on confidentiality, integrity, and availability, but requiring high attack complexity, low privileges, and user interaction. Red Hat has published an advisory and released Quay 3.16.4 containing fixes. The vendor advisory does not explicitly state the patch status for this CVE alone but references the updated Quay 3.16.4 release which includes multiple CVE fixes including CVE-2026-32590.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary code on the Red Hat Quay server, compromising confidentiality, integrity, and availability of the system. This could lead to full system compromise of the affected Quay instance. There are no known public exploits in the wild currently.
Mitigation Recommendations
Red Hat has released Red Hat Quay 3.16.4 which includes fixes addressing this vulnerability among others. Users should update to Quay 3.16.4 or later to remediate this issue. Prior to applying this update, ensure all previously released errata relevant to your system have been applied. Patch status is effectively an official fix via the updated Quay release. No additional vendor mitigation guidance is provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-03-12T14:39:53.657Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-32590","vendor":"Red Hat"}]
Threat ID: 69d6b19c1cc7ad14daa7cc6b
Added to database: 4/8/2026, 7:50:52 PM
Last enriched: 5/20/2026, 6:16:29 PM
Last updated: 5/23/2026, 7:22:49 AM
Views: 109
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.