CVE-2025-4374 MEDIUM

CVE-2025-4374: Quay: incorrect privilege assignment

Vendor Project Quay
Product quay
Weakness CWE-266
Published May 6, 2025
Last update February 27, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn't been mirrored yet, they are granted "Admin" permissions on the newly created repository.

Key dates

02Disclosure timeline

May 6, 2025 CVE published
February 27, 2026 Record updated

Related vulnerabilities

04Related CVE