Bug 2433784 (CVE-2026-1530)

Summary: CVE-2026-1530 fog-kubevirt: fog-kubevirt: Man-in-the-Middle vulnerability due to disabled certificate validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-28 12:42:02 UTC 
Summary: MITM in fog-kubevirt due disabled certificate validation

Requirements to exploit: Being able to MITM traffic between Satellite
and OpenShift

Component affected: https://github.com/fog/fog-kubevirt

Version affected: <= 1.5.0

Patch available: no

Version fixed (if any already): none

CVSS (optional): N/A

Impact (optional): Important

Embargo: No

Reason: The amount of affected systems should be low
Suggested public date: dd-MMM-yyyy

Acknowledgement: Evgeni Golov

Steps to reproduce if available:

Configure OpenShift Virtualization / KubeVirt in Satellite with
any CA cert provided
See that connections succeed, even if the CA is wrong
Mitigation if available: None

Original report: this email

When foreman_kubevirt sets up a new client, it passes in the CA
provided in the UI to Fog::Kubevirt::Compute [1].
This CA (and the boolean whether SSL verification should happen at
all), is then used in `obtain_ssl_options` to prepare the SSL options
for `kubeclient` [2][3].
However, when the client is actually created, `@opts` is overridden
and contains `verify_ssl => OpenSSL::SSL::VERIFY_NONE` [4].