CVE-2026-10517— Clair: clair: unauthenticated ssrf via manifest layer uri enables internal network reconnaissance
Affected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Quay 3 | any | affected |
any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10517
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Clair: clair: unauthenticated ssrf via manifest layer uri enables internal network reconnaissance
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints. The SSRF is reflective for non-200 responses, leaking up to 256 bytes of error body content via CheckResponse error messages. Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to the unauthenticated attack vector.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Quay 3 | - | cpe:/a:redhat:quay:3 | |
| Red Hat | Red Hat Quay 3 | - | cpe:/a:redhat:quay:3 |
II. Public POCs for CVE-2026-10517
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10517
请登录查看更多情报信息。
Other References for CVE-2026-10517 (1)
Same Patch Batch · Red Hat · 2026-06-01 · 5 CVEs total
| CVE-2026-43958 | 7.8 HIGH | Rrdtool: rrdtool: stack buffer overflow allows local code execution or denial of service |
| CVE-2026-10118 | 7.8 HIGH | Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buff |
| CVE-2026-10533 | 5.0 MEDIUM | Openshift: openshift: non-admin user can bypass resourcequota and flood etcd with events c |
| CVE-2026-5419 | 3.7 LOW | Guntls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal |
IV. Related Vulnerabilities
Same product: Red Hat Quay 3
- CVE-2026-10078
Quay/config-tool: quay/config-tool: gitlab oauth client_secr - CVE-2026-10052
Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap - CVE-2026-6848
Quay: red hat quay: authentication bypass allows privileged - CVE-2024-5891
Quay: unauthorized user may authenticate via oauth applicati - CVE-2023-4956
Quay: clickjacking on config-editor page severity
Same vendor: Red Hat
- CVE-2026-5419
Guntls: gnutls: information disclosure via timing side-chann - CVE-2026-43958
Rrdtool: rrdtool: stack buffer overflow allows local code ex - CVE-2026-10118
Poppler: integer overflow in poppler splashoutputdev::tiling - CVE-2026-10533
Openshift: openshift: non-admin user can bypass resourcequot - CVE-2026-10101
Assisted-service: assisted-service: infraenv status leaks re
Same weakness: CWE-918
- CVE-2026-49139
Nanobot < 0.2.1 SSRF via Microsoft Teams Channel serviceUrl - CVE-2026-10287
SourceCodester SEO Meta Tag Extractor index.php get_headers - CVE-2026-49138
Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following - CVE-2026-10280
horizon921 mcpilot MCP API Call Endpoint route.ts server-sid - CVE-2026-10276
hekmon8 Jenkins-server-mcp get_build_status/get_build_log/tr
V. Comments for CVE-2026-10517
No comments yet