It is reported by Austin Macdonald that pulp fails to properly remove existing permissions when an object is deleted (e.g. a user account), if an object with the same name is later created it will inherit the previous permissions leading to a potential privilege escalation. Please note that due to the manner in which pulp is used in Satellite6 it is not vulnerable.