Red Hat Quay Resumable Uploads Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Red Hat Quay version 3.12.x, arising from the insecure handling of resumable container image layer uploads. The application uses Python's pickle module to serialize and deserialize hash state objects, which are then stored in the database. This process can be manipulated to execute arbitrary code on the Quay server. Exploitation requires valid login credentials, either through the web interface or via a container tool like Podman.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the Quay server.

Added: Apr 8, 2026, 7:34 PM

Updated: Apr 8, 2026, 7:34 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

7.5

exploitability

4.7

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

7.5

exploitability

4.7

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Red Hat Quay Resumable Uploads Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

Red Hat Quay

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating