CVE-2026-2376
Description
A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description mirror-registry: quay: quay: Server-side Request Forgery via open redirect vulnerability in web interface CVSS v3: 4.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N) Package state ProductPackageState mirror registry for Red Hat OpenShiftopenshift/mirror-registry-rhel8Fix deferred mirror registry for Red Hat OpenShift 2openshift/mirror-registry-rhel8Fix deferred Red Hat Quay…
Description
mirror-registry: quay: quay: Server-side Request Forgery via open redirect vulnerability in web interface
CVSS v3: 4.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)
Package state
| Product | Package | State |
|---|---|---|
| mirror registry for Red Hat OpenShift | openshift/mirror-registry-rhel8 | Fix deferred |
| mirror registry for Red Hat OpenShift 2 | openshift/mirror-registry-rhel8 | Fix deferred |
| Red Hat Quay 3 | quay/quay-rhel8 | Fix deferred |
| Red Hat Quay 3 | quay/quay-rhel9 | Fix deferred |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 8.0 | not-affected | |
| rhel | 9.0 | not-affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | quay | 3.0.0 | |
| redhat | mirror_registry | - | |
References
CWEs
CWE-601
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.