Description
A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.
Published: 2026-03-26
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An attacker can achieve remote code execution by exploiting an unsanitized hostname in Foreman's WebSocket proxy, which is used when building shell commands. The flaw allows injection of arbitrary shell commands if the attacker can control the hostname returned by a compute resource provider. Successful exploitation could compromise credentials stored on the system and ultimately control the entire managed infrastructure.

Affected Systems

Red Hat Satellite (versions 6, 6.16, 6.17, 6.18) running on RHEL 8 or 9, including Satellite Capsule, Satellite Maintenance, and Satellite Utils components. These products are listed by the CNA and affect multiple minor releases in both RHEL 8 and RHEL 9 distributions.

Risk and Exploitability

The vulnerability has a CVSS score of 8 and an EPSS score below 1%, indicating low current exploitation probability. It is not listed in the CISA KEV catalog. A likely attack vector involves an attacker operating a malicious compute resource, providing a hostname that is used by Foreman's proxy. When an authenticated user accesses VNC console functionality, the unsanitized hostname is incorporated into a shell command, allowing arbitrary code execution. Because the flaw requires control over a compute resource, initial access may be limited, but the impact of successful exploitation is severe.

Generated by OpenCVE AI on March 27, 2026 at 21:21 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat errata RHSA‑2026:5968, RHSA‑2026:5970, and RHSA‑2026:5971 to update all affected Satellite products to the patched versions.
  • Verify that the Satellite server is running the most recent 6.x release for your platform (RHEL 8 or RHEL 9).
  • Restrict the list of compute resource providers or ensure hostnames are validated and sanitized before being used by the WebSocket proxy.
  • Limit external access to the VNC console functionality for administrators until a patch is applied.

Generated by OpenCVE AI on March 27, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
CWE-94

Fri, 27 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
CWE-94

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat red Hat Satellite 6
Vendors & Products Red Hat
Red Hat red Hat Satellite 6

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:satellite:6.18::el9
cpe:/a:redhat:satellite_capsule:6.18::el9
cpe:/a:redhat:satellite_utils:6.18::el9
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
CPEs cpe:/a:redhat:satellite:6.16::el8
cpe:/a:redhat:satellite:6.16::el9
cpe:/a:redhat:satellite:6.17::el9
cpe:/a:redhat:satellite_capsule:6.16::el8
cpe:/a:redhat:satellite_capsule:6.16::el9
cpe:/a:redhat:satellite_capsule:6.17::el9
cpe:/a:redhat:satellite_maintenance:6.16::el9
cpe:/a:redhat:satellite_maintenance:6.17::el9
cpe:/a:redhat:satellite_utils:6.16::el8
cpe:/a:redhat:satellite_utils:6.16::el9
cpe:/a:redhat:satellite_utils:6.17::el9
Vendors & Products Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
References

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.
Title Forman: foreman: remote code execution via command injection in websocket proxy
First Time appeared Redhat
Redhat satellite
CPEs cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat satellite
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Red Hat Red Hat Satellite 6
Redhat Satellite Satellite Capsule Satellite Maintenance Satellite Utils
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T11:23:19.413Z

Reserved: 2026-02-05T10:43:18.671Z

Link: CVE-2026-1961

cve-icon Vulnrichment

Updated: 2026-03-27T16:18:13.602Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T13:16:27.650

Modified: 2026-04-08T12:16:20.597

Link: CVE-2026-1961

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T12:30:45Z

Links: CVE-2026-1961 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:27:54Z

Weaknesses