CVE-2026-10052

Vulnerability

A flaw in the Quay config-tool's LDAP and SMTP validation functions, located in pkg/lib/shared/validators.go, allows server-side request forgery (SSRF). The functions ValidateEmailServer (calls net.DialTimeout to the configured mail server) and ValidateLDAPServer (calls ldap.DialURL to the configured LDAP URI) make outbound connections to user-supplied endpoints without performing IP or host filtering. This affects Quay versions up to and including 3.16, where the config editor web application is present; in Quay 3.17 and later, the config editor was removed, limiting the attack vector to CLI or container startup scenarios [1][2].

Exploitation

An attacker with config editor access (gained via HTTP Basic Authentication on the config-tool editor) can supply arbitrary LDAP or SMTP server addresses. The attacker triggers the validation functions, which attempt to connect to the supplied endpoints. No special network position is required beyond access to the Quay config-tool editor. The LDAP validator also accepts the ldapi:// scheme and reflects LDAP result codes in error messages, which could aid in reconnaissance [2].

Impact

Successful exploitation allows the attacker to perform internal network reconnaissance from the Quay pod's network position. The attacker can identify reachable internal hosts and services, potentially mapping the internal network infrastructure. This is a medium-severity information disclosure issue, as it reveals network topology and service availability [1][2].

Mitigation

Red Hat has not announced a specific fixed version. Affected users should consider removing or securing the config-tool editor (disabled by default in Quay 3.17+). As a workaround, restrict network access to the Quay pod and implement strict outbound firewall rules. The config editor web application was removed in Quay 3.17, eliminating the primary attack vector [2]. No CVE has been added to the KEV catalog at this time.