CVE-2026-2377 MEDIUM

CVE-2026-2377: Mirror-registry: quay: quay: server-side request forgery via log export functionality

Vendor Red Hat

Product mirror registry for Red Hat OpenShift

Weakness CWE-918 · SSRF

Published April 8, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Red Hat Quay and mirror registry for Red Hat OpenShift. The log export feature in these products allows an authenticated user to specify an arbitrary callback URL. A backend process then makes server-side HTTP requests to this provided URL. This vulnerability, known as Server-Side Request Forgery (SSRF), could allow an attacker to send requests from the application's internal network, potentially leading to the disclosure of sensitive information.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-2377 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

Identifiers

CVE CVE-2026-2377

CWE CWE-918

CVSS 6.5 / MEDIUM

Affected versions

Vendor Red Hat

Product mirror registry for Red Hat OpenShift

Affected All versions

Vendor Red Hat

Product mirror registry for Red Hat OpenShift 2

Affected All versions

CVE-2026-2377: Mirror-registry: quay: quay: server-side request forgery via log export functionality

01Description

02Disclosure timeline

03References

04Related CVE