It is reported that the Spacewalk 2.6 API contains an XXE flaw resulting in information disclosure.
*** Bug 1554445 has been marked as a duplicate of this bug. ***
This issue affects the versions of spacewalk as shipped with Red Hat Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Fixed in spacewalk git by
1555429 - do not download external entities