The vulnerability in Red Hat Quay 3.16 arises from insufficient validation of hostnames in the Proxy Cache configuration feature. When an organization administrator configures an upstream registry, Quay establishes network connections to the specified hostname without verifying its legitimacy. This flaw enables an attacker with organization administrator privileges to craft hostnames that cause the Quay server to send requests to internal or otherwise restricted network resources, potentially exposing sensitive information or internal services. The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges required, user interaction required, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. Red Hat published an advisory and released Quay 3.16.4 with multiple fixes, but the advisory does not explicitly state that this SSRF vulnerability is addressed in that release.

If exploited, this SSRF vulnerability could allow an attacker with organization administrator privileges to make the Quay server send unauthorized requests to internal network services or cloud infrastructure endpoints that should not be accessible. This could lead to unauthorized disclosure of sensitive information (high confidentiality impact). The integrity and availability impacts are low or none. There are no known exploits in the wild currently.

Red Hat has released Red Hat Quay 3.16.4 with multiple bug fixes and security updates. However, the vendor advisory does not explicitly confirm that this release addresses CVE-2026-32591. Users should apply all relevant errata and updates as recommended by Red Hat. Patch status is not yet confirmed specifically for this vulnerability — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-32591 for the latest remediation guidance. Until a confirmed fix is applied, restrict organization administrator privileges to trusted users only to reduce risk.