Skip to main content

Red Hat Satellite CVE-2026-12515

MEDIUM
Missing Authorization (CWE-862)
2026-06-17 redhat
4.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

PR:L required as a Satellite account with edit_products is mandatory; C:L only since solely content-existence metadata is disclosed, not content data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:58 vuln.today
Analysis Generated
Jun 17, 2026 - 16:58 vuln.today

DescriptionCVE.org

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.

AnalysisAI

Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated users holding only the edit_products permission to query content metadata for repositories belonging to products they have no rights to manage. The flaw, rooted in a missing ActiveRecord scope on repository lookup, allows cross-product content-existence enumeration via the content-upload API - but explicitly does not permit modification, import, or publication of content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Satellite API with edit_products permission
Delivery
Enumerate or guess integer repository IDs of out-of-scope products
Exploit
Submit content-upload API request referencing target repository ID
Execution
Unscoped Repository.find returns metadata without authorization check
Impact
Infer existence of specific content in otherwise-inaccessible repository

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Satellite user account with the edit_products permission assigned. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N accurately reflects the bounded nature of this flaw: network-accessible, low complexity, but requiring authenticated access with a specific permission. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Satellite operator with edit_products rights scoped only to Product A crafts a direct API request to the content-upload endpoint, substituting the repository ID of an unrelated Product B - an integer ID that may be guessed sequentially or inferred from other API responses. Because the controller performs no permission-scoped lookup, the API returns content metadata confirming whether a specific RPM or file exists in Product B's repository, leaking information about a product the user should have no visibility into. …
Remediation The upstream code fix is available in Katello GitHub pull request #11712 at https://github.com/Katello/katello/pull/11712, which scopes the repository lookup in ContentUploadsController to repositories the requesting user has edit rights over. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

CVE-2026-10118 HIGH
7.8 Jun 01

Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacke

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

CVE-2026-6846 HIGH
7.8 Apr 22

Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a maliciou

CVE-2026-14164 HIGH
7.5 Jun 30

Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RA

CVE-2026-6893 HIGH
7.5 Jun 10

Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands insi

CVE-2026-1584 HIGH
7.5 Apr 09

Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid

CVE-2026-33846 HIGH
7.5 May 04

Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt m

CVE-2026-3833 HIGH
7.4 Apr 30

Certificate name-constraints bypass in GnuTLS allows a remote attacker to craft a leaf certificate whose Subject Alterna

CVE-2026-42011 HIGH
7.4 May 07

Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only exc

Vendor StatusVendor

Share

CVE-2026-12515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy