CVE-2026-13316 Overview
CVE-2026-13316 is a Server-Side Request Forgery (SSRF) vulnerability in Foreman, an open-source lifecycle management tool for physical and virtual servers. The flaw exists in the http_proxies_controller and http_proxy files, where HTTP parameters can be modified to redirect outbound requests. Attackers with high privileges can abuse this behavior to reach cloud metadata services on AWS, GCP, and Azure environments. The vulnerability is classified under CWE-918: Server-Side Request Forgery.
Critical Impact
Authenticated attackers can extract cloud instance metadata, including credentials and tokens, from AWS, GCP, or Azure metadata endpoints via the Foreman HTTP proxy component.
Affected Products
- Foreman (component: http_proxies_controller)
- Foreman (component: http_proxy)
- Red Hat Satellite deployments embedding affected Foreman versions
Discovery Timeline
- 2026-06-30 - CVE-2026-13316 published to the National Vulnerability Database
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-13316
Vulnerability Analysis
Foreman exposes HTTP proxy configuration through the http_proxies_controller, which accepts user-supplied HTTP parameters that ultimately drive outbound requests. The controller does not sufficiently validate or restrict the destination of proxy-related requests. As a result, an authenticated attacker with sufficient privileges can craft parameters that force the server to issue requests to arbitrary internal endpoints.
The most impactful abuse path targets cloud metadata services. On AWS, GCP, and Azure, instance metadata endpoints are reachable only from the host itself and often return short-lived credentials, IAM role tokens, and configuration data. By coercing Foreman to fetch these internal URLs, an attacker retrieves data that should never leave the host.
The attack is local in nature per the CVSS vector, and it requires high privileges. Confidentiality impact is high, while integrity and availability are unaffected. The EPSS score is 0.109%, reflecting low observed exploitation likelihood at this time.
Root Cause
The root cause is missing destination validation in the HTTP proxy handling logic. User-controlled parameters flow into request construction without an allow-list of permitted hosts or an explicit block on link-local metadata addresses such as 169.254.169.254.
Attack Vector
An authenticated user with permission to interact with the HTTP proxy configuration modifies request parameters so that Foreman issues an outbound HTTP request to a cloud metadata service. The response, containing sensitive metadata, is returned or logged through the application. The vulnerability manifests entirely server-side and does not require user interaction. Refer to the Red Hat CVE-2026-13316 Advisory and Red Hat Bugzilla Report #2490345 for technical details.
Detection Methods for CVE-2026-13316
Indicators of Compromise
- Outbound HTTP requests from the Foreman host to link-local metadata IP addresses such as 169.254.169.254 or metadata.google.internal.
- Unexpected entries in Foreman application logs referencing http_proxies_controller with URLs pointing to internal or cloud metadata endpoints.
- Anomalous use of cloud IAM role credentials associated with the Foreman instance from unusual source IPs or user agents.
Detection Strategies
- Inspect Foreman audit logs for http_proxy create or update actions containing suspicious URLs or hostnames.
- Correlate web server access logs with egress network flows to identify proxy requests targeting RFC 1918 or link-local ranges.
- Alert on any process on the Foreman host resolving or connecting to cloud metadata hostnames outside of expected agents.
Monitoring Recommendations
- Enable verbose auditing on Foreman administrative endpoints, particularly proxy configuration routes.
- Monitor cloud provider audit logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for use of the Foreman host's instance credentials from unexpected contexts.
- Track outbound network policy violations from the Foreman VM using host-based firewall or eBPF-level telemetry.
How to Mitigate CVE-2026-13316
Immediate Actions Required
- Restrict access to Foreman administrative roles that can create or modify HTTP proxy definitions to a minimal set of trusted operators.
- Block egress from the Foreman host to cloud metadata IP ranges except from approved system agents.
- Rotate any IAM credentials or tokens exposed to the Foreman instance if abuse is suspected.
- Review Foreman audit logs for prior proxy configurations targeting internal or metadata endpoints.
Patch Information
Apply updates published by the Foreman project and downstream vendors. Red Hat customers should consult the Red Hat CVE-2026-13316 Advisory for supported package versions and errata specific to Red Hat Satellite. Track fix status in Red Hat Bugzilla Report #2490345.
Workarounds
- Enforce IMDSv2 on AWS EC2 instances hosting Foreman to require session tokens for metadata access.
- Use host firewall rules (iptables, nftables) to deny outbound traffic from Foreman to 169.254.169.254 and equivalent GCP or Azure metadata endpoints.
- Limit HTTP proxy management permissions in Foreman's role-based access control to reduce the population of accounts capable of triggering the flaw.
# Example: block cloud metadata access from the Foreman host
sudo iptables -A OUTPUT -d 169.254.169.254 -m owner ! --uid-owner root -j DROP
sudo iptables -A OUTPUT -d 169.254.169.254 -p tcp --dport 80 -j DROP
sudo ip6tables -A OUTPUT -d fd00:ec2::254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

