Bug 2452970 (CVE-2026-5136) - CVE-2026-5136 foreman: Foreman: Privilege escalation to administrator-level access via usergroup role assignment manipulation
Summary: CVE-2026-5136 foreman: Foreman: Privilege escalation to administrator-level a...
Keywords:
Status: NEW
Alias: CVE-2026-5136
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-30 10:47 UTC by OSIDB Bzimport
Modified: 2026-07-01 17:29 UTC (History)
13 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:34366 0 None None None 2026-07-01 17:27:25 UTC
Red Hat Product Errata RHSA-2026:34367 0 None None None 2026-07-01 17:29:09 UTC
Red Hat Product Errata RHSA-2026:34368 0 None None None 2026-07-01 17:28:38 UTC

Description OSIDB Bzimport 2026-03-30 10:47:48 UTC
Summary: A privilege escalation flaw was found in Foreman. The Usergroup model does not validate role assignments against the calling user's permissions, unlike the User model which enforces escalation checks. This flaw allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and add themselves as a member, resulting in full privilege escalation to administrator-level access.

Requirements to exploit: Authenticated Foreman account with create_usergroups or edit_usergroups permission (e.g., Site manager, Organization admin, Manager roles, or any custom role including these permissions). Attacker crafts a single API request to create or update a user group with a privileged role_id and their own user_id.

Comment 2 errata-xmlrpc 2026-07-01 17:27:23 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:34366 https://access.redhat.com/errata/RHSA-2026:34366

Comment 3 errata-xmlrpc 2026-07-01 17:28:36 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.18 for RHEL 9

Via RHSA-2026:34368 https://access.redhat.com/errata/RHSA-2026:34368

Comment 4 errata-xmlrpc 2026-07-01 17:29:08 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:34367 https://access.redhat.com/errata/RHSA-2026:34367


Note You need to log in before you can comment on or make changes to this bug.