Skip to main content

Red Hat Satellite CVE-2026-5136

| EUVDEUVD-2026-40959 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-07-01 redhat GHSA-fpxf-rppp-4373
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-facing web app (AV:N), no special timing (AC:L); attacker needs a delegated usergroup-management account so PR:L not PR:N; escalation to full admin yields C/I/A:H with scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:21 vuln.today

DescriptionCVE.org

A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.

AnalysisAI

Privilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-management permissions attach arbitrary roles - including the administrator role - to a user group and then enroll themselves, gaining full admin-level control. The Usergroup model fails to validate that the assigning user actually holds the roles being granted, breaking the RBAC delegation boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as delegated usergroup manager
Delivery
Create or edit a user group
Exploit
Attach administrator role (subset check missing)
Execution
Add own account as member
Impact
Inherit full admin privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Foreman/Red Hat Satellite 6 account that has been granted usergroup-management permissions (the specific delegated capability to create or modify user groups); with that, the attacker attaches an arbitrary higher-privileged role - up to the administrator role - to a group and adds themselves as a member. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8) describes a network-reachable, low-complexity attack requiring some existing authentication and no user interaction, with total confidentiality/integrity/availability impact consistent with full admin takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator delegates day-to-day user-group management to a help-desk operator via a limited role that includes usergroup-management permissions. That operator creates or edits a user group, attaches the built-in administrator role to it (which the platform fails to reject), adds their own account as a member, and immediately inherits full Satellite administrator privileges. …
Remediation No vendor-released patch version was identified in the provided data, so apply the fix referenced by Red Hat once published - monitor https://access.redhat.com/security/cve/CVE-2026-5136 and https://bugzilla.redhat.com/show_bug.cgi?id=2452970 for the errata and exact fixed package version, then upgrade to it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all users with usergroup-management permissions and review recent Usergroup role assignments for suspicious activity; implement immediate restrictions on who can assign this capability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-1961 HIGH
8.0 Mar 26

Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl

CVE-2026-12112 HIGH
7.8 Jun 23

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

CVE-2026-44604 HIGH
7.0 May 28

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim

CVE-2026-5142 MEDIUM
6.5 Jul 01

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key

CVE-2026-5135 MEDIUM
6.5 Jul 01

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host

CVE-2026-9073 MEDIUM
6.2 Jun 23

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers

CVE-2026-13316 MEDIUM
4.4 Jun 30

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged

CVE-2026-5138 MEDIUM
4.3 Jul 01

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho

CVE-2026-12515 MEDIUM
4.3 Jun 17

Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user

Share

CVE-2026-5136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy