Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation needs local/log access (AV:L) and a low-priv account that can read MCP logs (PR:L); replayed admin session yields full C/I/A on Satellite.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution.
AnalysisAI
Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take over active administrative sessions by reusing leaked session IDs that the server caches without re-validating authentication tokens. Because session IDs are written to standard logs, any user with log read access can replay them to gain administrative control and pivot to infrastructure-wide code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to the Red Hat Satellite host running foreman-mcp-server, or equivalent read access to any log destination (journald, syslog file, SIEM index) where the MCP server writes newly created session IDs; an administrative session must be active or be created during the observation window so a valid session ID can be harvested and replayed before its natural expiry. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H scores 7.8 and reflects a local, low-complexity, low-privilege path to full CIA impact - consistent with an attacker who can read MCP server logs on the Satellite host (e.g., an unprivileged local user, log-aggregation account, or operator with journal access) and replay an admin session ID. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged local user on the Satellite host (or an account with read access to log aggregation downstream of the MCP server) tails the standard logs, captures a freshly issued admin session ID, and replays it against the MCP endpoint. Because the server trusts the cached connection without re-validating the auth token, the attacker assumes the administrator's identity and uses Satellite's remote execution features to push commands to every managed host in the fleet. |
| Remediation | Apply the Red Hat-provided update for foreman-mcp-server / Red Hat Satellite 6 as referenced at https://access.redhat.com/security/cve/CVE-2026-12112 and tracked in https://bugzilla.redhat.com/show_bug.cgi?id=2488031; exact patched package versions are not independently confirmed from the supplied data, so verify via the errata before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Red Hat Satellite 6 deployments and immediately restrict read access to application logs to the narrowest group required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Satellite 6
View allPrivilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man
Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim
Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key
Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host
Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers
Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged
Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho
Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user
Same weakness CWE-287 – Improper Authentication
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38599
GHSA-6v32-2jc8-w595