CVE-2026-13316 - Vulnerability Details

- Foreman: ssrf to cloud metada service through unvalidated test_url parameters in foreman config

Description

A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.

Published: 2026-06-30

Score: 4.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the foreman HTTP proxy configuration, unvalidated test_url parameters permit an attacker to direct the Foreman instance to arbitrary URLs. By exploiting this flaw, an attacker can perform a server‑side request forgery to connect to the metadata services that cloud platforms expose internally. This enables theft of sensitive data such as instance identity tokens, secret credentials, and other metadata. The issue is a classic SSRF, mapped to CWE‑918, and its impact is primarily the confidentiality compromise of privileged cloud information.

Affected Systems

The vulnerability affects Red Hat Satellite 6. The foreman component included in the Satellite 6 distribution contains the flaw. Specific version details are not provided by the CNA, so all deployments of the affected component may be vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 4.4 indicates low‑to‑medium severity, and the EPSS score is not available. The vulnerability is not listed in CISA's KEV catalog, implying no widespread exploitation has been publicly documented. Nonetheless, environments that run the affected Foreman instance can be compromised if an attacker gains access to the Foreman API; they can then craft requests that cause Foreman to reach internal metadata endpoints. Because the attacker does not need privileged credentials to the target environment, the practical risk remains notable for cloud workloads.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Satellite 6	affected	—
Red Hat	Red Hat Satellite 6	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

Configure firewall rules on the Foreman host to block outbound connections to cloud metadata IP ranges unless required.
Sanitize the test_url parameter or disable the HTTP proxy API if your environment does not require it.
Apply the vendor‑provided update to Red Hat Satellite 6 as soon as a patch becomes available.
Monitor API traffic for suspicious requests that target internal IP ranges and enforce strict input validation on the proxy controller.

Generated by OpenCVE AI on June 30, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-13316
https://bugzilla.redhat.com/show_bug.cgi?id=2490345
https://nvd.nist.gov/vuln/detail/CVE-2026-13316
https://www.cve.org/CVERecord?id=CVE-2026-13316

History

Tue, 30 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 30 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-13316 https://www.cve.org/CVERecord?id=CVE-2026-13316
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 30 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.
Title		Foreman: ssrf to cloud metada service through unvalidated test_url parameters in foreman config
First Time appeared		Redhat Redhat satellite
Weaknesses		CWE-918
CPEs		cpe:/a:redhat:satellite:6
Vendors & Products		Redhat Redhat satellite
References		https://access.redhat.com/security/cve/CVE-2026-13316 https://bugzilla.redhat.com/show_bug.cgi?id=2490345
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Redhat Satellite

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-30T09:53:03.409Z

Updated: 2026-06-30T13:16:44.600Z

Reserved: 2026-06-25T07:46:22.379Z

Link: CVE-2026-13316

Vulnrichment

Updated: 2026-06-30T13:16:39.992Z

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-18T12:00:00Z

Links: CVE-2026-13316 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-30T11:30:04Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object