Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible API requires authenticated low-privileged user (PR:L); impact is confidentiality-only on infrastructure metadata with no integrity or availability effect.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
AnalysisAI
Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding host-edit permissions to retrieve sensitive infrastructure metadata from organizations and locations they are not authorized to access. The root cause is the taxonomy_scope controller method accepting organization and location IDs from nested request parameters without validating them against the caller's authorized tenancy scope, implementing a textbook CWE-639 authorization bypass through user-controlled key. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated session with at minimum host-edit permissions assigned in Foreman/Red Hat Satellite 6. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects a moderate information-disclosure-only vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Satellite user in Organization A, assigned host-edit permissions for legitimate administrative duties, constructs an HTTP request to the Foreman taxonomy_scope endpoint with nested parameters containing the organization and location IDs of Organization B. The controller processes these user-supplied IDs without validating them against the caller's authorized taxonomy, scopes its infrastructure query to Organization B, and returns subnet topology, IP address ranges, gateway addresses, DNS server addresses, and VLAN IDs belonging to that separate tenant. … |
| Remediation | Apply the vendor-supplied patch referenced in the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-5138; an exact fixed version number was not included in the provided data and should be confirmed directly from that advisory before patching. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Satellite 6
View allPrivilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man
Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl
Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack
Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim
Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key
Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host
Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers
Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged
Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41004
GHSA-47r2-h2mh-qqjp