Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network API access with low-privilege auth (view_keypairs role) required; pure confidentiality impact via private SSH key exfiltration; no integrity or availability effect.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.
AnalysisAI
Private SSH key exfiltration in Red Hat Satellite 6 (upstream: Foreman) allows authenticated users holding the 'view_keypairs' permission to bypass taxonomy scoping and retrieve private SSH keys belonging to foreign organizations by directly querying key pair IDs via the API. The flaw is an IDOR (CWE-639) at the multi-tenancy enforcement layer, meaning the isolation contract between tenant organizations is broken for any user granted that permission. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session in Foreman/Satellite with the 'view_keypairs' permission assigned via RBAC - unauthenticated access is not possible (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N scoring 6.5 Medium accurately reflects the core risk profile: network-exploitable with no attack complexity, but gated behind authenticated access and a specific RBAC permission ('view_keypairs'). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker in Organization A with the 'view_keypairs' role issues direct HTTP requests to Satellite's key pair API endpoint, incrementing or probing key pair IDs that fall outside their assigned organization's taxonomy scope. Because the server validates the permission but not the organizational ownership of the requested object, it returns the private SSH key material for Organization B's key pairs. … |
| Remediation | Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-5142 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2452999 to obtain the patched release; no specific fixed version number was confirmed in available intelligence and must be verified directly against the Red Hat advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Satellite 6
View allPrivilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-man
Remote code execution is achievable in Red Hat Foreman and Satellite 6 via command injection in the WebSocket proxy impl
Session hijacking in the foreman-mcp-server component (shipped with Red Hat Satellite 6) allows local attackers to take
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a malic
Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated pack
Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim
Broken access control in Foreman (the upstream engine of Red Hat Satellite 6) permits an authenticated user holding host
Cleartext credential persistence in foreman-mcp-server, a component of Red Hat Satellite 6, exposes session identifiers
Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged
Cross-tenant information disclosure in Foreman (packaged as Red Hat Satellite 6) allows an authenticated user holding ho
Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated user
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41002
GHSA-h2gj-g5gx-f7qq