Bug 2452230 (CVE-2026-5135) - CVE-2026-5135 foreman: Foreman: Unauthorized modification of host configurations via broken access control
Summary: CVE-2026-5135 foreman: Foreman: Unauthorized modification of host configurati...
Keywords:
Status: NEW
Alias: CVE-2026-5135
Deadline: 2026-04-15
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 13:27 UTC by OSIDB Bzimport
Modified: 2026-07-01 17:29 UTC (History)
13 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:34366 0 None None None 2026-07-01 17:27:24 UTC
Red Hat Product Errata RHSA-2026:34367 0 None None None 2026-07-01 17:29:13 UTC
Red Hat Product Errata RHSA-2026:34368 0 None None None 2026-07-01 17:28:38 UTC

Description OSIDB Bzimport 2026-03-27 13:27:36 UTC
A broken access control flaw was found in Foreman. This flaw allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host by modifying the match field via nested host attributes, bypassing authorization checks. The injected values are served by the ENC/classification pipeline to configuration management tools, potentially resulting in unauthorized modification of managed host configurations across organization and location boundaries.

Authenticated Foreman account with edit rights on at least one host (edit_hosts permission). The attacker needs two requests: first to create a legitimate override on their own host, then to retarget its match field to the victim host's FQDN. A lookup key with fqdn in its path must exist.

Comment 2 errata-xmlrpc 2026-07-01 17:27:22 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:34366 https://access.redhat.com/errata/RHSA-2026:34366

Comment 3 errata-xmlrpc 2026-07-01 17:28:36 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.18 for RHEL 9

Via RHSA-2026:34368 https://access.redhat.com/errata/RHSA-2026:34368

Comment 4 errata-xmlrpc 2026-07-01 17:29:12 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:34367 https://access.redhat.com/errata/RHSA-2026:34367


Note You need to log in before you can comment on or make changes to this bug.