A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasnt been mirrored yet, they are granted Admin permissions on the newly created repository.
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.