It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users.
Name: Tim Wade (Red Hat)
This issue has been addressed in the following products:
CloudForms Management Engine 5.8
Via RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:1758