Description
A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise.
Published: 2026-02-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Man-in-the-Middle compromising confidentiality and integrity
Action: Patch Now
AI Analysis

Impact

A flaw in fog‑kubevirt disables certificate validation, enabling a remote attacker to intercept and alter traffic between Red Hat Satellite and OpenShift. The vulnerability permits information disclosure and tampering with sensitive data flowing over the network. It is a classic Man‑in‑the‑Middle that directly threatens the confidentiality and integrity of communications.

Affected Systems

Red Hat Satellite 6 and its 6.16 and 6.17 releases for RHEL 8 and RHEL 9, as well as Satellite Capsule, Maintenance and Utils components at the same minor versions. The affected products are those listed under the Red Hat Satellite family as identified by the CNA.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. An EPSS score of less than 1 % shows a very low probability of exploitation in the wild, and the vulnerability is not currently documented in CISA’s KEV catalog. The flaw can be leveraged remotely over the network; the attacker must have access to the communication path between Satellite and OpenShift, and must be able to supply a malicious or intercepted TLS handshake. Attack steps are inferred from the description, as the exact vector is not detailed in the data.

Generated by OpenCVE AI on April 16, 2026 at 07:15 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply Red Hat errata RHSA-2026:5970 or RHSA-2026:5971 to patch fog‑kubevirt and restore certificate verification
  • Verify that the Certificate Authority (CA) certificates used by fog‑kubevirt are correctly configured and that certificate validation is enabled
  • If a patch cannot be applied immediately, restrict or isolate the vulnerable traffic to an internal network segment and monitor for additional updates

Generated by OpenCVE AI on April 16, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m3hq-3qj8-c5fm fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation
History

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
CPEs cpe:/a:redhat:satellite:6.16::el8
cpe:/a:redhat:satellite:6.16::el9
cpe:/a:redhat:satellite:6.17::el9
cpe:/a:redhat:satellite_capsule:6.16::el8
cpe:/a:redhat:satellite_capsule:6.16::el9
cpe:/a:redhat:satellite_capsule:6.17::el9
cpe:/a:redhat:satellite_maintenance:6.16::el9
cpe:/a:redhat:satellite_maintenance:6.17::el9
cpe:/a:redhat:satellite_utils:6.16::el8
cpe:/a:redhat:satellite_utils:6.16::el9
cpe:/a:redhat:satellite_utils:6.17::el9
Vendors & Products Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
References

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise.
Title fog-kubevirt: fog-kubevirt: Man-in-the-Middle vulnerability due to disabled certificate validation Fog-kubevirt: fog-kubevirt: man-in-the-middle vulnerability due to disabled certificate validation
First Time appeared Redhat
Redhat satellite
CPEs cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat satellite
References

Thu, 29 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title fog-kubevirt: fog-kubevirt: Man-in-the-Middle vulnerability due to disabled certificate validation
Weaknesses CWE-295
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important

Subscriptions

Redhat Satellite Satellite Capsule Satellite Maintenance Satellite Utils
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-26T20:31:44.599Z

Reserved: 2026-01-28T12:41:52.835Z

Link: CVE-2026-1530

cve-icon Vulnrichment

Updated: 2026-02-02T16:26:14.451Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T06:16:20.620

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1530

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-28T12:40:37Z

Links: CVE-2026-1530 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:15:28Z

Weaknesses