CVE-2026-32590 HIGH

CVE-2026-32590: Mirror-registry: remote code execution using pickle deserialization

Vendor Red Hat

Product mirror registry for Red Hat OpenShift

Weakness CWE-502 · Unsafe deserialization

Published April 8, 2026

Last update June 9, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

June 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32590

Related vulnerabilities

04Related CVE

CVE-2024-11039 Deserialization of Untrusted Data in binary-husky/gpt_academic CVE-2024-1731 Auto Refresh Single Page <= 1.1 - Authenticated (Contributor+) PHP Object Injection CVE-2025-48287 WordPress Pix 4x sem juros - Pagaleve plugin <= 1.6.9 - PHP Object Injection Vulnerability CVE-2025-31052 WordPress The Fashion - Model Agency One Page Beauty Theme plugin <= 1.4.4 - Deserialization of untrusted data Vulnerability CVE-2025-24357 vLLM allows a malicious model RCE by torch.load in hf_model_weights_iterator

Identifiers

CVE CVE-2026-32590

CWE CWE-502

CVSS 7.1 / HIGH

Affected versions

Vendor Red Hat

Product mirror registry for Red Hat OpenShift

Affected All versions

Vendor Red Hat

Product mirror registry for Red Hat OpenShift 2

Affected All versions