It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations.
Marek Hulán of Red Hat reports:
When accessing Foreman as a user limited to specific organization, having access to other organization IDs and having unlimited filters could allow a user to access/modify other organization data by using the organization ID as an API parameter.
Name: Marek Hulán (Red Hat)
This issue has been addressed in the following products:
Red Hat Satellite 6.3 for RHEL 7
Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336