Description
A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.
Published: 2026-07-01
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in the Foreman Usergroup model where role assignments are not validated against the caller's permissions. This is a CWE-266 Improper Authorization flaw. An authenticated user who has usergroup management rights can attach arbitrary roles, including administrative ones, to any user group. By then adding themselves as a member to that group, the attacker obtains full administrator privileges. This flaw provides complete control over the system, allowing modification of configuration, data, and potentially compromising other services.

Affected Systems

Red Hat Satellite 6 is affected by this flaw. The CVE specifically references the Satellite 6 product, though no particular sub‑version is listed. All installations running that version of the Satellite product should be assessed for the presence of an authenticated user with usergroup management permissions.

Risk and Exploitability

The CVSS score for this issue is 8.8, indicating a high severity. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. Successful exploitation requires only an authenticated session with usergroup management rights, which can be obtained through legitimate user accounts or compromised credentials. The lack of proper permission checks means the attack can be carried out by an internal user or by any user who can obtain these rights, potentially with minimal effort once the account is compromised.

Generated by OpenCVE AI on July 1, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether your Red Hat Satellite 6 installation is affected and apply any Red Hat patch or update that addresses this CVE as soon as it is released.
  • If a patch is not yet available, audit all user accounts for usergroup management permissions and remove or limit these rights to trusted administrators only.
  • Monitor usergroup and role assignment activity in the system logs for any unauthorized changes, and block any attempts to create or elevate groups with administrative roles until a fix is applied.

Generated by OpenCVE AI on July 1, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
CPEs cpe:/a:redhat:satellite:6.16::el8
cpe:/a:redhat:satellite:6.16::el9
cpe:/a:redhat:satellite:6.18::el9
cpe:/a:redhat:satellite_capsule:6.16::el8
cpe:/a:redhat:satellite_capsule:6.16::el9
cpe:/a:redhat:satellite_capsule:6.18::el9
cpe:/a:redhat:satellite_maintenance:6.16::el8
cpe:/a:redhat:satellite_maintenance:6.16::el9
cpe:/a:redhat:satellite_utils:6.16::el8
cpe:/a:redhat:satellite_utils:6.16::el9
cpe:/a:redhat:satellite_utils:6.18::el9
Vendors & Products Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
References

Wed, 01 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat red Hat Satellite 6
Vendors & Products Red Hat
Red Hat red Hat Satellite 6

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.
Title Foreman: foreman: privilege escalation to administrator-level access via usergroup role assignment manipulation
First Time appeared Redhat
Redhat satellite
Weaknesses CWE-266
CPEs cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat satellite
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Red Hat Red Hat Satellite 6
Redhat Satellite Satellite Capsule Satellite Maintenance Satellite Utils
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-01T19:09:26.865Z

Reserved: 2026-03-30T10:47:46.043Z

Link: CVE-2026-5136

cve-icon Vulnrichment

Updated: 2026-07-01T15:01:36.329Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T19:15:06Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment