Skip to main content

Red Hat Satellite CVE-2026-5135

| EUVDEUVD-2026-41003 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-01 redhat GHSA-vpj3-792h-v855
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

PR:L confirmed as host-edit role is required; I:H reflects unauthorized modification of managed host configurations; no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:57 vuln.today

DescriptionCVE.org

A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorisation checks. The consequence is the potential for unauthorised modification of managed host configurations across different organisational and location boundaries.

AnalysisAI

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host-edit permissions to retarget an existing lookup value override to hosts outside their authorized organizational or location scope. The flaw stems from insufficient authorization enforcement on the match field when modified via nested host attributes, allowing an attacker to effectively write configuration overrides to managed hosts they are not permitted to administer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with host-edit credentials
Delivery
Identify target host in out-of-scope organization
Exploit
Craft API request with manipulated match field via nested host attributes
Execution
Submit override retargeting to cross-boundary host
Persist
Authorization check bypassed
Impact
Unauthorized configuration applied to target host

Vulnerability AssessmentAI

Exploitation Authentication with a low-privilege account is required - specifically, the target account must hold the host-edit permission within Foreman/Satellite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) reflects a network-accessible, low-complexity exploit requiring only low-privilege authentication with no user interaction, producing high integrity impact but no confidentiality or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Red Hat Satellite user assigned a host-edit role within Organization A crafts an API request that modifies the match field of an existing smart variable lookup value override using nested host attributes referencing a host in Organization B. The server's authorization check validates the user's host-edit permission but fails to verify that the resolved target host falls within the user's permitted organizational scope, silently applying the override to the out-of-scope host. …
Remediation Patch available per vendor advisory - consult https://access.redhat.com/security/cve/CVE-2026-5135 for the specific errata and fixed Satellite build, as no exact patched version number was present in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5136 HIGH
8.8 Jul 01

Privilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man

CVE-2026-1961 HIGH
8.0 Mar 26

Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl

CVE-2026-12112 HIGH
7.8 Jun 23

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

CVE-2026-48863 HIGH
7.5 Jul 16

Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack

CVE-2026-44604 HIGH
7.0 May 28

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim

CVE-2026-5142 MEDIUM
6.5 Jul 01

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key

CVE-2026-9073 MEDIUM
6.2 Jun 23

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers

CVE-2026-13316 MEDIUM
4.4 Jun 30

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged

CVE-2026-5138 MEDIUM
4.3 Jul 01

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho

CVE-2026-12515 MEDIUM
4.3 Jun 17

Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user

Share

CVE-2026-5135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy