Skip to main content

foreman-mcp-server EUVDEUVD-2026-38603

| CVE-2026-9073 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-23 redhat GHSA-7rcj-2493-83x3
6.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Reading container logs or SIEM data requires at least low local privilege (PR:L); no integrity or availability impact applies to this passive credential exposure flaw.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
6.2 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:51 vuln.today

DescriptionCVE.org

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug logging is enabled, incompletely sanitizes HTTP request headers, leading to the cleartext logging of sensitive information such as authorization tokens and API keys. This vulnerability can result in a confidentiality breach, as sensitive authentication data is persisted in plain text within container logs, increasing the risk if logs are forwarded to a centralized platform.

AnalysisAI

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers and authentication tokens through two independent logging paths. The INFO-level logger unconditionally records session identifiers (which function as authentication credentials) in plaintext, while a separate debug-mode logger incompletely sanitizes HTTP request headers, allowing Authorization tokens and API keys to persist in container logs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain read access to container logs or SIEM
Delivery
Extract plaintext session IDs from INFO-level log entries
Exploit
(If debug logs present) Extract API keys or Authorization header values
Execution
Replay harvested credentials against Satellite API
Impact
Access Satellite as authenticated user or service account

Vulnerability AssessmentAI

Exploitation Two independent exposure conditions exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, score 6.2) classifies this as Medium severity with local attack vector, low complexity, and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker or malicious insider with read access to Red Hat Satellite 6 container logs - whether via direct kubectl logs access, a SIEM query, or access to an OpenShift logging namespace - passively scans INFO-level log entries and extracts session identifiers that are persistently written in cleartext. These session tokens are then replayed against the Satellite API to impersonate a legitimate administrator or service account, enabling unauthorized access to managed infrastructure, content views, or provisioning workflows without triggering standard authentication events.
Remediation Apply the patch for foreman-mcp-server as released by Red Hat for Satellite 6, tracked at https://access.redhat.com/security/cve/CVE-2026-9073 and https://bugzilla.redhat.com/show_bug.cgi?id=2480151. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5136 HIGH
8.8 Jul 01

Privilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man

CVE-2026-1961 HIGH
8.0 Mar 26

Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl

CVE-2026-12112 HIGH
7.8 Jun 23

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

CVE-2026-48863 HIGH
7.5 Jul 16

Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack

CVE-2026-44604 HIGH
7.0 May 28

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim

CVE-2026-5142 MEDIUM
6.5 Jul 01

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key

CVE-2026-5135 MEDIUM
6.5 Jul 01

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host

CVE-2026-13316 MEDIUM
4.4 Jun 30

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged

CVE-2026-5138 MEDIUM
4.3 Jul 01

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho

CVE-2026-12515 MEDIUM
4.3 Jun 17

Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user

Vendor StatusVendor

Share

EUVD-2026-38603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy