Description
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
Published: 2026-07-01
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Foreman's taxonomy_scope controller allows an authenticated user who holds host‑edit permissions to read sensitive infrastructure metadata from organizations and locations that are not normally accessible to them. The vulnerability arises because organization and location identifiers supplied within nested request parameters are not properly validated, so the existing authorization checks are bypassed. The exposed data includes subnet topology, IP ranges, gateways, DNS servers, and operational details to privileged, but otherwise restricted, users.

Affected Systems

This issue affects Red Hat Satellite 6 deployments. The specific versions impacted are not listed in the available data, but any installation of Satellite 6 that includes Foreman without the patch can be vulnerable. Users should check the component version to confirm exposure.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the vulnerability does not appear in CISA’s KEV catalog. EPSS data is not available, which suggests there is no publicly known exploitation activity, though the attack path requires legitimate user credentials with host‑edit rights. If an attacker gains such credentials, they can obtain non‑confidential metadata that could aid further attacks or breach organizational boundaries.

Generated by OpenCVE AI on July 1, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Red Hat Satellite 6 package that incorporates the fix for improper taxonomy scope validation.
  • If no update is yet available, constrain host‑edit permissions to the user’s own organization and location scopes using role‑based access controls.
  • Configure the application to validate organization and location identifiers in nested request parameters before performing any action, rejecting requests that target resources outside the user’s authorized scope.

Generated by OpenCVE AI on July 1, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
CPEs cpe:/a:redhat:satellite:6.16::el8
cpe:/a:redhat:satellite:6.16::el9
cpe:/a:redhat:satellite:6.18::el9
cpe:/a:redhat:satellite_capsule:6.16::el8
cpe:/a:redhat:satellite_capsule:6.16::el9
cpe:/a:redhat:satellite_capsule:6.18::el9
cpe:/a:redhat:satellite_maintenance:6.16::el8
cpe:/a:redhat:satellite_maintenance:6.16::el9
cpe:/a:redhat:satellite_utils:6.16::el8
cpe:/a:redhat:satellite_utils:6.16::el9
cpe:/a:redhat:satellite_utils:6.18::el9
Vendors & Products Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
References

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
Title Foreman: foreman: information disclosure via improper validation of nested request parameters
First Time appeared Redhat
Redhat satellite
Weaknesses CWE-639
CPEs cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat satellite
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Redhat Satellite Satellite Capsule Satellite Maintenance Satellite Utils
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-01T19:40:49.653Z

Reserved: 2026-03-30T10:53:25.776Z

Link: CVE-2026-5138

cve-icon Vulnrichment

Updated: 2026-07-01T14:39:46.200Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:15:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key