Unrated severityNVD Advisory· Published Mar 12, 2026· Updated Mar 12, 2026

Mirror-registry: quay: quay: server-side request forgery via open redirect vulnerability in web interface

CVE-2026-2376

Description

A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses.

When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to.

Affected products

Red Hat/mirror registry for Red Hat OpenShiftv5
cpe:/a:redhat:mirror_registry:1
Red Hat/mirror registry for Red Hat OpenShift 2v5
cpe:/a:redhat:mirror_registry:2
Red Hat/Red Hat Quay 3v5
cpe:/a:redhat:quay:3
mirror-registry/mirror-registryllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2026-2376mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
github.com/quay/quay/pull/5074mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000