Introduction
A deserialization flaw in Red Hat Quay's resumable upload mechanism means that tampered intermediate upload data stored in the database can lead to arbitrary code execution on the registry server. For organizations relying on Quay as the central container image registry for their OpenShift clusters, particularly in disconnected environments, this vulnerability (CVE-2026-32590, CVSS 7.1) introduces a direct supply chain risk to every downstream deployment pulling images from the compromised registry.
Red Hat Quay is a distributed, highly available container image registry designed for secure storage, distribution, and governance of containers and cloud native artifacts. It is widely deployed across enterprise environments and serves as the default mirror registry for OpenShift Container Platform clusters operating without internet connectivity. Its central position in the container delivery pipeline makes any code execution vulnerability on the registry server a concern that extends well beyond the single host.
Technical Information
The vulnerability resides in Red Hat Quay's resumable upload feature for container image layers. When a user or automated system uploads an image layer in chunks, Quay stores the intermediate state of the upload in its database. The Bugzilla entry (bug 2446964) identifies the root cause as pickle deserialization: the intermediate upload data is serialized using Python's pickle format, and when the upload resumes, the application deserializes this data without adequate validation.
Python's pickle module is inherently unsafe when used with untrusted data. During deserialization, pickle can instantiate arbitrary Python objects and invoke their constructors or special methods such as __reduce__. An attacker who can inject a crafted pickle payload into the stored intermediate upload state can cause the Quay application to execute arbitrary code when it deserializes that data on the next resumption step.
This is a textbook instance of CWE-502 (Deserialization of Untrusted Data), where an application deserializes data from a source without sufficiently verifying that the resulting data will be valid and safe. The deserialization process takes packaged data and converts it back into program internal objects; when an adversary injects malicious content into those serialized objects, the application blindly instantiates them.
Attack Flow
The exploitation sequence proceeds as follows:
- An attacker initiates or identifies a resumable image layer upload to the Quay registry.
- The attacker gains the ability to modify the intermediate upload state stored in the Quay database. The exact prerequisites for this step, whether it requires direct database access, SQL injection, or some other vector, are not fully detailed in current public advisories.
- The attacker replaces the legitimate serialized intermediate data with a malicious pickle payload crafted to execute arbitrary commands upon deserialization.
- When the upload process resumes and Quay reads the intermediate state from the database, the application deserializes the tampered pickle data.
- The malicious payload executes with the privileges of the Quay application process, granting the attacker code execution on the registry server.
Supply Chain Implications
Because Quay serves as the authoritative source for container images across an organization's infrastructure, an attacker with code execution on the registry could taint container images, inject backdoors into base images, or pivot to compromise downstream OpenShift clusters that pull images from the registry. This transforms a single server compromise into a broad supply chain attack affecting every environment that trusts the registry.
Affected Systems and Versions
The public advisories for CVE-2026-32590 do not currently enumerate an explicit list of affected Red Hat Quay versions. Based on the nature of the vulnerability (pickle deserialization in the resumable upload path), any version of Red Hat Quay that implements this upload mechanism using pickle serialization for intermediate state is potentially affected.
Red Hat currently maintains the following active Quay release streams:
| Version | Status |
|---|---|
| Quay 3.15.x | Actively maintained (latest: 3.15.4) |
| Quay 3.16.x | Actively maintained (latest: 3.16.3) |
| Quay 3.17.x | Latest release (3.17.0) |
Organizations should monitor Red Hat security bulletins for official confirmation of which versions contain the fix.
Vendor Security History
Red Hat maintains an active and responsive security patching cadence for the Quay product line. Recent security advisories demonstrate ongoing maintenance across multiple product streams. Version 3.15.4 was released with bug fixes and security updates (RHSA-2026:6568). Version 3.16.3 addressed critical severity vulnerabilities (RHSA-2026:6567). Version 3.17.0 introduced Clair 4.9 and default container security hardening, including a DROP ALL Linux capabilities strategy and hardened seccomp profiles.
References
- CVE-2026-32590 at Red Hat Security
- Bugzilla 2446964: CVE-2026-32590 mirror-registry: remote code execution using pickle deserialization
- CWE-502: Deserialization of Untrusted Data
- Red Hat Quay Architecture Overview
- Red Hat Quay 3.17 Release Notes
- RHSA-2026:6568 Security Advisory
- RHSA-2026:6567 Vulnerability Intelligence
- Best Practices: Unsafe Deserialization of Untrusted Data
- Resolving Deserialization of Untrusted Data (CWE ID 502)
