Bug 2429874 (CVE-2026-0980)

Summary: CVE-2026-0980 rubyipmi: Red Hat Satellite: Remote Code Execution in rubyipmi via malicious BMC username
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-15 08:51:48 UTC 
Summary: Authorized RCE in Red Hat Satellite via rubyipmi gem used in
the BMC component

Requirements to exploit: Satellite with the BMC component enabled,
using ipmitool as the IPMI implementation. The attacker needs
permissions to create (or update) existing hosts in Satellite, but not
to manage Satellite.

Component affected: https://github.com/logicminds/rubyipmi

Version affected: <= 0.12.1

Patch available: yes

Version fixed (if any already): none yet

CVSS (optional): I don't believe in CVSS

Impact (optional): moderate

Embargo: no

Reason: one needs a specific setup and privileges in it to be able to exploit
Suggested public date: dd-MMM-yyyy (It is important to note that an
embargo may be lifted before there is a fix if necessary)

Acknowledgement: <Name> <Company> of the reporter and if they want to
be acknowledged

Steps to reproduce if available:

deploy Foreman/Satellite with --foreman-proxy-bmc true
create a host with a BMC interface and use "admin; touch
/var/log/foreman-proxy/hacked" as the username for the BMC (requires
host create/edit permissions, but not admin)
refresh the host in the UI for Foreman to fetch the BMC status
see /var/log/foreman-proxy/hacked was created
Mitigation if available: use freeipmi or apply patch