Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Web controller is network-reachable (AV:N); scope change applies as forged requests exit to cloud metadata infrastructure (S:C); PR:H retained as admin access is required.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.
AnalysisAI
Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged attackers to redirect internal HTTP requests to cloud metadata endpoints on AWS, GCP, and Azure environments. By manipulating HTTP parameters in the http_proxies_controller or http_proxy configuration files, an attacker can cause the Foreman server to issue forged requests to internal metadata services (e.g., AWS IMDS at 169.254.169.254), potentially harvesting IAM role credentials, access tokens, and environment configuration secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker possess high-privilege (administrative) access to the Foreman or Red Hat Satellite 6 web interface, specifically the ability to create or modify HTTP proxy entries via the http_proxies_controller. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.4 (Medium) reflects significant access restrictions: AV:L (local vector) and PR:H (high privileges required) substantially limit exposure, confining exploitation to actors already holding Foreman/Satellite administrative access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding Foreman administrative credentials - obtained through credential theft, privilege escalation, or a compromised admin account - navigates to the HTTP proxies configuration interface and sets a proxy target URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/. When Foreman's backend processes the modified proxy parameter, it issues an HTTP GET to the AWS IMDS endpoint from the Satellite server's network context, returning temporary IAM role credentials (AccessKeyId, SecretAccessKey, Token) that the attacker can then exfiltrate and use to authenticate against AWS APIs. … |
| Remediation | No patched version number has been confirmed in the available data - the Red Hat Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2490345) and the security advisory at https://access.redhat.com/security/cve/CVE-2026-13316 should be monitored for a fixed package release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Satellite 6
View allPrivilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man
Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl
Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack
Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim
Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key
Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host
Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers
Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho
Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40281
GHSA-f274-c23v-hx4j