It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users.
Acknowledgments: Name: Tim Wade (Red Hat)
This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:1758