Skip to main content

Foreman MCP Server CVE-2026-12112

| EUVDEUVD-2026-38599 HIGH
Improper Authentication (CWE-287)
2026-06-23 redhat GHSA-6v32-2jc8-w595
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Exploitation needs local/log access (AV:L) and a low-priv account that can read MCP logs (PR:L); replayed admin session yields full C/I/A on Satellite.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:51 vuln.today

DescriptionCVE.org

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution.

AnalysisAI

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local or log-read access on Satellite host
Delivery
Tail MCP server standard logs
Exploit
Capture freshly emitted admin session ID
Install
Replay session ID to MCP endpoint
C2
Server trusts cached connection without token check
Execute
Issue remote execution jobs as admin
Impact
Infrastructure-wide code execution across managed hosts

Vulnerability AssessmentAI

Exploitation Requires local access to the Red Hat Satellite host running foreman-mcp-server, or equivalent read access to any log destination (journald, syslog file, SIEM index) where the MCP server writes newly created session IDs; an administrative session must be active or be created during the observation window so a valid session ID can be harvested and replayed before its natural expiry. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H scores 7.8 and reflects a local, low-complexity, low-privilege path to full CIA impact - consistent with an attacker who can read MCP server logs on the Satellite host (e.g., an unprivileged local user, log-aggregation account, or operator with journal access) and replay an admin session ID. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user on the Satellite host (or an account with read access to log aggregation downstream of the MCP server) tails the standard logs, captures a freshly issued admin session ID, and replays it against the MCP endpoint. Because the server trusts the cached connection without re-validating the auth token, the attacker assumes the administrator's identity and uses Satellite's remote execution features to push commands to every managed host in the fleet.
Remediation Apply the Red Hat-provided update for foreman-mcp-server / Red Hat Satellite 6 as referenced at https://access.redhat.com/security/cve/CVE-2026-12112 and tracked in https://bugzilla.redhat.com/show_bug.cgi?id=2488031; exact patched package versions are not independently confirmed from the supplied data, so verify via the errata before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Red Hat Satellite 6 deployments and immediately restrict read access to application logs to the narrowest group required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5136 HIGH
8.8 Jul 01

Privilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man

CVE-2026-1961 HIGH
8.0 Mar 26

Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

CVE-2026-44604 HIGH
7.0 May 28

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim

CVE-2026-5142 MEDIUM
6.5 Jul 01

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key

CVE-2026-5135 MEDIUM
6.5 Jul 01

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host

CVE-2026-9073 MEDIUM
6.2 Jun 23

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers

CVE-2026-13316 MEDIUM
4.4 Jun 30

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged

CVE-2026-5138 MEDIUM
4.3 Jul 01

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho

CVE-2026-12515 MEDIUM
4.3 Jun 17

Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user

Vendor StatusVendor

Share

CVE-2026-12112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy