CVE-2026-10078: Quay GitLab OAuth Credentials Leaked in Plaintext Query Parameters
Quay's config-tool contains a flaw in how it handles GitLab OAuth setup. When administrators configure GitLab as an identity provider, sensitive credentials (client ID and secret) are passed in plaintext within the URL query string of POST requests. This is problematic because these credentials can be logged by web servers, reverse proxies, load balancers, and monitoring systems—anywhere that records HTTP request details. An attacker who gains access to these logs could extract the credentials and impersonate Quay's OAuth client to GitLab, potentially gaining unauthorized access to repositories or other GitLab resources.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.7 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-598
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Quay's config-tool GitLab OAuth validator. The flaw causes OAuth credentials (client_id and client_secret) to be transmitted via URL query parameters in POST requests instead of being placed in the request body or secure headers. Query parameters are routinely logged by infrastructure components including HTTP servers, reverse proxies, WAFs, and security monitoring tools. CWE-598 (Use of GET Request with Sensitive Query Strings) categorizes this improper credential transmission. The CVSS 3.1 score of 2.7 reflects the low attack vector (network-based but requires high privilege to trigger) and limited confidentiality impact when logging access is restricted to privileged users.
Business impact
The primary business risk is credential disclosure through log aggregation and analysis. If an organization centralizes logs from web servers, proxies, or monitoring infrastructure, GitLab OAuth credentials become searchable and extractable by anyone with log access—often a broader group than database administrators. This could enable lateral movement: an attacker with log access could use compromised GitLab credentials to access repositories, CI/CD pipelines, or other GitLab-integrated systems. For regulated environments, plaintext credential logging in audit trails may also create compliance violations.
Affected systems
This vulnerability affects Quay deployments that use GitLab as an OAuth identity provider and are running vulnerable versions of the config-tool. Vendor product data is not provided in the source; verify the specific Quay versions affected against the official Quay security advisory. Environments with centralized logging, log aggregation tools (ELK, Splunk, CloudWatch), or security information and event management (SIEM) systems are at higher risk of credential exposure.
Exploitability
Exploitation requires high privileges (administrator or log-access role) as indicated by the CVSS vector. The attacker must be able to observe or access logs containing the POST request. This is not a remote code execution or unauthenticated attack; instead, it creates a credential disclosure risk for operators and log administrators. The attack does not require user interaction and depends only on normal GitLab OAuth configuration workflow.
Remediation
The vendor must release an updated config-tool that transmits OAuth credentials in the POST body or via secure headers rather than query parameters. Organizations should apply the patched version when available. Interim mitigations include restricting log retention and access for sensitive infrastructure logs, redacting query parameters in log pipelines, and using network segmentation to limit who can access logs containing this data.
Patch guidance
Verify against the official Quay security advisory for patched config-tool versions. Patch testing should include verifying that GitLab OAuth configuration still functions correctly after upgrade and that credential materials no longer appear in access logs. After patching, consider log rotation to purge any historical logs containing exposed credentials.
Detection guidance
Search existing logs for POST requests to GitLab OAuth endpoints (typically /oauth/authorize or similar) containing 'client_id' or 'client_secret' in the query string. Check reverse proxy, web server, WAF, and SIEM logs for these patterns. If found, assume credentials may be compromised and initiate GitLab OAuth credential rotation. Monitor Quay's config-tool upgrade status and scan running instances to confirm they are running patched versions.
Why prioritize this
Despite the low CVSS score, this merits prompt attention for organizations using GitLab OAuth with Quay. The risk is conditional on log access, but in many enterprises, log repositories are accessed by security teams, DevOps engineers, and contractors. The attack surface is largely determined by organizational log management practices rather than the vulnerability's technical complexity. Prioritize patching for environments with broad or insufficiently restricted log access.
Risk score, explained
CVSS 3.1 assigns a score of 2.7 (LOW) based on: Attack Vector (Network) indicating remote trigger capability, Attack Complexity (Low) meaning no special conditions required for exploitation, Privileges Required (High) restricting the threat actor to high-privilege roles, no User Interaction required, and Confidentiality Impact (Low) limited to credential exposure rather than mass data theft. The score reflects the requirement for prior high privilege access to exploit the vulnerability. Organizations should not assume 'low' severity means 'low priority'; credential compromise can have outsized impact depending on role and environment.
Frequently asked questions
Does this vulnerability allow remote code execution or system compromise?
No. This is a credential disclosure vulnerability, not RCE. It exposes OAuth credentials that could be used for unauthorized access to GitLab, but does not directly compromise Quay or the underlying infrastructure. Impact is confined to potential unauthorized GitLab access using the compromised client credentials.
How can I tell if my organization has been affected?
Check whether your Quay deployment uses GitLab as an OAuth provider in the config-tool. Search your access logs, reverse proxy logs, and SIEM for POST requests to GitLab OAuth endpoints containing 'client_id' or 'client_secret' in the URL query string. If found, assume credentials may be compromised and rotate them immediately. Also verify your Quay config-tool version against the vendor advisory.
What should I do if I find exposed credentials in my logs?
Treat the exposed OAuth client_id and client_secret as compromised. Immediately rotate these credentials in your GitLab OAuth application settings. Review GitLab audit logs for any unauthorized access or activity using those credentials. Then upgrade Quay's config-tool to the patched version and remove or redact the credential material from archived logs if possible.
Are there interim steps I can take before patching?
Yes. Restrict access to logs containing config-tool requests to only essential personnel. Implement query parameter redaction in your log pipeline to mask sensitive values before storage. Use network segmentation to limit which systems can access logs. However, these are mitigations, not fixes; patching remains essential.
This analysis is based on publicly disclosed vulnerability data current as of the source publication date. Specific patch versions, affected Quay releases, and vendor advisory details must be verified against official Quay security bulletins and vendor documentation. Organizations should conduct internal testing before deploying patches. This vulnerability analysis does not constitute security advice for any specific deployment. Consult your vendor and security team for remediation strategies tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2024-42206LOWHCL iReflection Third-Party Component Vulnerability
- CVE-2025-48616LOWAndroid Lockdown Bypass via Screen Pinning Logic Error
- CVE-2025-52608LOWHCL iControl Missing Cookie Attributes Vulnerability
- CVE-2025-52609LOWHCL iControl Missing Security Headers XSS Vulnerability
- CVE-2025-52611LOWHCL iControl Stack Trace Disclosure (v4.0.0)
- CVE-2025-62338LOWHCL BigFix CLM Input Validation Flaw – Information Disclosure Risk
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure