CVE-2026-2376 MEDIUM

CVE-2026-2376: Mirror-registry: quay: quay: server-side request forgery via open redirect vulnerability in web interface

Vendor Red Hat

Product mirror registry for Red Hat OpenShift

Weakness CWE-601 · Open redirect

Published March 12, 2026

Last update March 12, 2026

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to.

Key dates

02Disclosure timeline

March 12, 2026 CVE published

March 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-2376 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2026-2376

CWE CWE-601

CVSS 4.9 / MEDIUM

Affected versions

Vendor Red Hat

Product mirror registry for Red Hat OpenShift

Affected All versions

Vendor Red Hat

Product mirror registry for Red Hat OpenShift 2

Affected All versions

Vendor Red Hat

Product Red Hat Quay 3

Affected All versions

Vendor Red Hat

Product Red Hat Quay 3

Affected All versions

CVE-2026-2376: Mirror-registry: quay: quay: server-side request forgery via open redirect vulnerability in web interface

01Description

02Disclosure timeline

03References

04Related CVE