CVE Catalog

CVE-2026-10517

MediumCVSS 5.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

A Server-Side Request Forgery (SSRF) vulnerability was found in the fetcher component of Clair. An unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints, leaking up to 256 bytes of error body content in non-200 responses.

Risk Assessment

The risk involves an SSRF attack that can expose sensitive data from internal network resources, such as cloud metadata, without authentication when PSK authentication is not configured.

Recommendation

It is recommended to configure PSK authentication in Clair to block unauthenticated requests and implement IP and URI scheme filtering in the fetcher component.

Original NVD description (English source)

A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints. The SSRF is reflective for non-200 responses, leaking up to 256 bytes of error body content via CheckResponse error messages. Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to the unauthenticated attack vector.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS