It is reported that the Spacewalk 2.6 API contains an XXE flaw resulting in information disclosure.
*** Bug 1554445 has been marked as a duplicate of this bug. ***
Statement: This issue affects the versions of spacewalk as shipped with Red Hat Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Fixed in spacewalk git by commit ff0c56b6735ca978c4cede5e4e6fa71e3e9bfd82 1555429 - do not download external entities