Bug 2452971 (CVE-2026-5138)

Summary: CVE-2026-5138 foreman: Foreman: Information disclosure via improper validation of nested request parameters
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, ehelms, ggainey, jpasqual, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, security-response-team, smallamp, tmalecek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-30 10:53:33 UTC
Summary: A cross-tenant information disclosure flaw was found in Foreman. The taxonomy_scope controller method does not validate organization and location IDs from nested request parameters against the current user's taxonomy memberships, bypassing the existing set_taxonomy authorization check. This flaw allows an authenticated user with host-edit permissions to leak infrastructure metadata such as subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs from organizations and locations they do not belong to.

Requirements to exploit: Authenticated Foreman account with create_hosts or edit_hosts permission (or equivalent hostgroup permissions) in at least one organization. Attacker crafts a single HTTP request with a valid own-org ID at the top level and a foreign org ID in nested params.

Comment 2 errata-xmlrpc 2026-07-01 17:27:24 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:34366 https://access.redhat.com/errata/RHSA-2026:34366

Comment 3 errata-xmlrpc 2026-07-01 17:28:41 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.18 for RHEL 9

Via RHSA-2026:34368 https://access.redhat.com/errata/RHSA-2026:34368

Comment 4 errata-xmlrpc 2026-07-01 17:29:08 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:34367 https://access.redhat.com/errata/RHSA-2026:34367