CVE-2026-12515 - Vulnerability Details

- Katello: missing repository authorization in content_uploads exposes cross-product content existence

Description

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.

Published: 2026-06-17

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Katello, a component of Red Hat Satellite, contains an authorization flaw in the ContentUploadsController. Users granted the edit_products permission can query repository content for repositories outside the products they manage, revealing whether specific content exists. This exposes sensitive inventory information but does not allow modification, import, or publication of content, limiting the impact to information disclosure.

Affected Systems

The vulnerability appears in Red Hat Satellite 6 and Red Hat Hardened Images deployments that use Katello. No specific version numbers are listed, so all installations that include the affected component are potentially impacted.

Risk and Exploitability

The CVSS score of 4.3 classifies this issue as low severity, and the EPSS score of less than 1% indicates a very small probability of exploitation. It is not listed in the CISA KEV repository. The likely attack scenario requires an authenticated user with edit_products rights, so the threat applies only to users who already possess that permission. While exploitation is possible, the narrow target set and low risk platform make the overall risk modest.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Hardened Images	affected	—
Red Hat	Red Hat Satellite 6	affected	—
Red Hat	Red Hat Satellite 6	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Red Hat Satellite 6 patch that addresses CVE-2026-12515.
Restrict the edit_products permission to only users who truly need it, removing or revoking it from other roles.
Disable the ContentUploads functionality if the feature is not required for your environment.
Monitor authentication logs for unexpected content upload queries.

Generated by OpenCVE AI on June 18, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c43c-rf7g-5xpg	katello: missing repository authorization in content_uploads exposes cross-product content existence

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00197.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-12515
https://bugzilla.redhat.com/show_bug.cgi?id=2489812
https://github.com/Katello/katello/pull/11712
https://nvd.nist.gov/vuln/detail/CVE-2026-12515
https://www.cve.org/CVERecord?id=CVE-2026-12515

History

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-12515 https://www.cve.org/CVERecord?id=CVE-2026-12515
Metrics	threat_severity `None`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` threat_severity `Moderate`

Thu, 18 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
Title		Katello: missing repository authorization in content_uploads exposes cross-product content existence
First Time appeared		Redhat Redhat hummingbird Redhat satellite
Weaknesses		CWE-862
CPEs		cpe:/a:redhat:hummingbird:1 cpe:/a:redhat:satellite:6
Vendors & Products		Redhat Redhat hummingbird Redhat satellite
References		https://access.redhat.com/security/cve/CVE-2026-12515 https://bugzilla.redhat.com/show_bug.cgi?id=2489812 https://github.com/Katello/katello/pull/11712
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Redhat Hummingbird Satellite

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-17T15:34:00.815Z

Updated: 2026-06-18T15:26:22.574Z

Reserved: 2026-06-17T12:39:00.644Z

Link: CVE-2026-12515

Vulnrichment

Updated: 2026-06-18T15:26:16.428Z

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-17T15:27:46Z

Links: CVE-2026-12515 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object