Red Hat Satellite CVE-2026-12515
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
PR:L required as a Satellite account with edit_products is mandatory; C:L only since solely content-existence metadata is disclosed, not content data.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
AnalysisAI
Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated users holding only the edit_products permission to query content metadata for repositories belonging to products they have no rights to manage. The flaw, rooted in a missing ActiveRecord scope on repository lookup, allows cross-product content-existence enumeration via the content-upload API - but explicitly does not permit modification, import, or publication of content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Satellite user account with the edit_products permission assigned. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N accurately reflects the bounded nature of this flaw: network-accessible, low complexity, but requiring authenticated access with a specific permission. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Satellite operator with edit_products rights scoped only to Product A crafts a direct API request to the content-upload endpoint, substituting the repository ID of an unrelated Product B - an integer ID that may be guessed sequentially or inferred from other API responses. Because the controller performs no permission-scoped lookup, the API returns content metadata confirming whether a specific RPM or file exists in Product B's repository, leaking information about a product the user should have no visibility into. … |
| Remediation | The upstream code fix is available in Katello GitHub pull request #11712 at https://github.com/Katello/katello/pull/11712, which scopes the repository lookup in ContentUploadsController to repositories the requesting user has edit rights over. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Hardened Images
View allOut-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacke
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Heap buffer overflow in GNU Binutils XCOFF linker allows arbitrary code execution when a local user processes a maliciou
Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RA
Root command injection in dracut's legacy DHCP path allows adjacent-network attackers to execute arbitrary commands insi
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid
Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt m
Certificate name-constraints bypass in GnuTLS allows a remote attacker to craft a leaf certificate whose Subject Alterna
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only exc
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today