Skip to main content

Red Hat Satellite EUVDEUVD-2026-40281

| CVE-2026-13316 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-30 redhat GHSA-f274-c23v-hx4j
4.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.8 MEDIUM

Web controller is network-reachable (AV:N); scope change applies as forged requests exit to cloud metadata infrastructure (S:C); PR:H retained as admin access is required.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Red Hat
4.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 11:16 vuln.today
CVE Published
Jun 30, 2026 - 09:53 cve.org
MEDIUM 4.4

DescriptionCVE.org

A flaw has been found in foreman when HTTP parameters are modified in http_proxies_controller and http_proxy files. Attackers can perform an SSRF attack and steal cloud metadata service on AWS/GCP/Azure environment through foreman component.

AnalysisAI

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged attackers to redirect internal HTTP requests to cloud metadata endpoints on AWS, GCP, and Azure environments. By manipulating HTTP parameters in the http_proxies_controller or http_proxy configuration files, an attacker can cause the Foreman server to issue forged requests to internal metadata services (e.g., AWS IMDS at 169.254.169.254), potentially harvesting IAM role credentials, access tokens, and environment configuration secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Foreman admin credentials
Delivery
Access HTTP proxy configuration interface
Exploit
Inject cloud metadata URL as proxy target
Execution
Trigger Foreman to issue forged server-side request
Persist
Receive IMDS response with cloud credentials
Impact
Exfiltrate IAM tokens for cloud lateral movement

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker possess high-privilege (administrative) access to the Foreman or Red Hat Satellite 6 web interface, specifically the ability to create or modify HTTP proxy entries via the http_proxies_controller. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 4.4 (Medium) reflects significant access restrictions: AV:L (local vector) and PR:H (high privileges required) substantially limit exposure, confining exploitation to actors already holding Foreman/Satellite administrative access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding Foreman administrative credentials - obtained through credential theft, privilege escalation, or a compromised admin account - navigates to the HTTP proxies configuration interface and sets a proxy target URL to http://169.254.169.254/latest/meta-data/iam/security-credentials/. When Foreman's backend processes the modified proxy parameter, it issues an HTTP GET to the AWS IMDS endpoint from the Satellite server's network context, returning temporary IAM role credentials (AccessKeyId, SecretAccessKey, Token) that the attacker can then exfiltrate and use to authenticate against AWS APIs. …
Remediation No patched version number has been confirmed in the available data - the Red Hat Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2490345) and the security advisory at https://access.redhat.com/security/cve/CVE-2026-13316 should be monitored for a fixed package release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5136 HIGH
8.8 Jul 01

Privilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man

CVE-2026-1961 HIGH
8.0 Mar 26

Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl

CVE-2026-12112 HIGH
7.8 Jun 23

Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take

CVE-2026-48864 HIGH
7.8 May 26

Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic

CVE-2026-48863 HIGH
7.5 Jul 16

Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack

CVE-2026-44604 HIGH
7.0 May 28

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim

CVE-2026-5142 MEDIUM
6.5 Jul 01

Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_key

CVE-2026-5135 MEDIUM
6.5 Jul 01

Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host

CVE-2026-9073 MEDIUM
6.2 Jun 23

Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers

CVE-2026-5138 MEDIUM
4.3 Jul 01

Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho

CVE-2026-12515 MEDIUM
4.3 Jun 17

Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user

Vendor StatusVendor

Share

EUVD-2026-40281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy