CVE-2026-10078
Description
A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Quay config-tool GitLab OAuth validator leaks client_id and client_secret in plaintext URL query parameters during POST requests, exposing credentials to various logs.
Vulnerability
A flaw exists in the Quay config-tool's GitLab OAuth validator, located in pkg/lib/shared/validators.go at line 804. When the validator makes POST requests to the configured GitLab endpoint, it places the sensitive client_id and client_secret as plaintext URL query parameters. This behavior affects the GitLab OAuth validator only; the GitHub OAuth validator is not impacted because it correctly uses HTTP Basic Auth headers. The affected versions are those of Quay that include this config-tool component; specific version numbers are not yet disclosed in the available references [1][2].
Exploitation
An attacker does not need direct write access to the Quay config-tool or the application itself. The credentials are transmitted in plaintext in the URL query string, which means they may be captured by any system that logs HTTP requests, such as server access logs, reverse proxies, WAFs, CDNs, and OpenTelemetry traces. No user interaction or race window timing is necessary; the exposure occurs automatically whenever the validator performs the POST request to the GitLab endpoint [2].
Impact
Successful exploitation results in unauthorized disclosure of the GitLab OAuth client_id and client_secret credentials. An attacker with access to the logs where these URLs are recorded can obtain these credentials, potentially leading to further unauthorized information disclosure or misuse of the OAuth integration. The confidentiality of the credential data is compromised, but the direct impact is limited to credential exposure; no code execution or file write is described [1][2].
Mitigation
As of the publication date (2026-05-29), no fixed version or patch has been released by Red Hat. Users should monitor the official advisory [1] and the Bugzilla entry [2] for updates. Workarounds include ensuring that logs where query strings are recorded are restricted to authorized personnel and that HTTPS is used (though query parameters remain visible in logs). This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of publication. If no fix is released, administrators may consider disabling the GitLab OAuth validator or migrating to an alternative authentication method that does not expose credentials in URLs [2].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.