Brian Bouterse of Red Hat reports: Satellite 6 uses a single CA to generate sign all certs; that CA is trusted by the Qpid brokers on the server, capsule, dispatch router, httpd, etc. By design, content hosts only should connect to httpd and the dispatch router. A user with root access to a content host has access to these certs and could authenticate to the server broker or the capsule broker.
Acknowledgement: This issue was discovered by Brian Bouterse of Red Hat.