CVE-2026-2376

Published: Mar 12, 2026Modified: Jun 2, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to.

Affected (2)

Products: Redhat: Quay, Mirror Registry

2 products

Mirror Registry

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Quay	Version 3.0.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 9.0

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Mirror Registry	All versions

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 8.0

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (3)

https://access.redhat.com/security/cve/CVE-2026-2376

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2439117

Source: secalert@redhat.com

Vendor Advisory

https://github.com/quay/quay/pull/5074

Source: secalert@redhat.com

Issue TrackingPatch

Timeline

No history available yet.