Description
A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.
Published: 2026-07-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in Foreman, enabling authenticated users who possess the view_keypairs permission to bypass taxonomy scoping constraints. By directly querying key pair identifiers, these users can download private SSH keys belonging to other organizations, resulting in cross-tenant exposure of sensitive credentials. This weakness is identified as CWE-639. The consequence is the loss of confidentiality for SSH private keys across tenant boundaries, potentially granting attackers remote access or privilege escalation in affected systems.

Affected Systems

The affected product is Red Hat Satellite 6. No specific patch level or version range is listed; therefore any installation of Satellite 6 that has not applied the relevant vendor update remains vulnerable.

Risk and Exploitability

The CVSS score of 6.5 classifies this flaw as medium severity. Because the exploit requires authenticated access with view_keypairs permission, the attack surface is limited to privileged users or accounts that have been compromised or misconfigured. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation currently. Nevertheless, once the necessary permissions are in place, an attacker can retrieve any private key by supplying the appropriate key pair ID, leading to immediate confidentiality leakage.

Generated by OpenCVE AI on July 1, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Satellite 6 security update that fixes CVE-2026-5142.
  • Limit or remove the view_keypairs permission for users that do not truly require access to SSH key pairs.
  • Enable logging and review audit trails for key pair download activity to detect potential abuse.

Generated by OpenCVE AI on July 1, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
CPEs cpe:/a:redhat:satellite:6.16::el8
cpe:/a:redhat:satellite:6.16::el9
cpe:/a:redhat:satellite:6.18::el9
cpe:/a:redhat:satellite_capsule:6.16::el8
cpe:/a:redhat:satellite_capsule:6.16::el9
cpe:/a:redhat:satellite_capsule:6.18::el9
cpe:/a:redhat:satellite_maintenance:6.16::el8
cpe:/a:redhat:satellite_maintenance:6.16::el9
cpe:/a:redhat:satellite_utils:6.16::el8
cpe:/a:redhat:satellite_utils:6.16::el9
cpe:/a:redhat:satellite_utils:6.18::el9
Vendors & Products Redhat satellite Capsule
Redhat satellite Maintenance
Redhat satellite Utils
References

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.
Title Foreman: foreman: cross-tenant private ssh key disclosure via taxonomy scoping bypass
First Time appeared Redhat
Redhat satellite
Weaknesses CWE-639
CPEs cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat satellite
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Redhat Satellite Satellite Capsule Satellite Maintenance Satellite Utils
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-01T19:40:52.656Z

Reserved: 2026-03-30T12:08:56.764Z

Link: CVE-2026-5142

cve-icon Vulnrichment

Updated: 2026-07-01T15:01:15.365Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T16:45:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key