Vulnerability Key Information Summary 1. Vulnerability Overview CVE ID: CVE-2026-32590 Vulnerability Name: mirror-registry: remote code execution via pickle deserialization (Mirror Registry: Remote Code Execution using Pickle Deserialization) Vulnerability Description: A remote code execution (RCE) vulnerability was discovered in Red Hat Quay v3.12.x. This vulnerability stems from the insecure use of Python's module for serializing state objects stored in the database. Affected Fields: The and fields within the model (used to store SHA-256 and SHA-1 hash states for recoverable container image layer uploads). 2. Scope of Impact Affected Products: Red Hat Quay v3.12.x (Latest Version) Affected Components: Mirror Registry for OpenShift / BlobUpload functionality Operating System: Linux Hardware: All Exploitation Requirements: The attacker must have logged into the web application. Alternatively, the attacker must be able to execute from the host. 3. Remediation Current Status: NEW (Newly reported / Not yet patched) Fixed Version: The screenshot indicates "Close On," suggesting that a specific fixed version has not yet been designated or is currently being processed. Deadline: 2026-04-15 Owner: Product Security DevOps Team 4. POC / Exploit Code The screenshot does not contain specific POC code or exploit scripts.