CVE-2026-2376

low-risk

Published 2026-03-12

A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

NETWORK / HIGH complexity

References (3)

https://access.redhat.com/security/cve/CVE-2026-2376

https://bugzilla.redhat.com/show_bug.cgi?id=2439117

https://github.com/quay/quay/pull/5074

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal