CVE-2026-2377 PUBLISHED

Mirror-registry: quay: quay: server-side request forgery via log export functionality

Assigner: redhat
Reserved: 11.02.2026 Published: 08.04.2026 Updated: 08.04.2026

A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary requests to internal network resources, a vulnerability known as Server-Side Request Forgery (SSRF). This could lead to unauthorized access to sensitive information or other internal systems.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	mirror registry for Red Hat OpenShift
Versions	Default: affected

Vendor	Red Hat
Product	mirror registry for Red Hat OpenShift 2
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Quay 3
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Quay 3
Versions	Default: affected

References

Problem Types

Server-Side Request Forgery (SSRF) CWE