CVE-2026-5135 Overview
A broken access control flaw exists in Foreman, the open source lifecycle management tool used to provision and configure physical and virtual servers. An authenticated user holding host-edit permissions can retarget an existing lookup value override to a different host by modifying the match field through nested host attributes. The manipulation bypasses authorization checks that would normally enforce organizational and location boundaries. The result is unauthorized modification of managed host configurations belonging to other tenants within the same Foreman deployment. Red Hat issued advisories RHSA-2026:34365 through RHSA-2026:34368 addressing the flaw in Red Hat Satellite, which embeds Foreman.
Critical Impact
Authenticated users with limited host-edit rights can alter configuration data for hosts outside their assigned organization or location, undermining Foreman's multi-tenant isolation model.
Affected Products
- Foreman (upstream project)
- Red Hat Satellite (as addressed by RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34367, RHSA-2026:34368)
- Deployments exposing the Foreman API to authenticated tenants
Discovery Timeline
- 2026-07-01 - CVE-2026-5135 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-5135
Vulnerability Analysis
Foreman supports lookup value overrides, which allow administrators to bind Puppet or Ansible parameter values to specific hosts. Each override references a target host through a match field such as fqdn=host.example.com. Foreman validates that the invoking user can edit the host referenced by the override at creation time.
The flaw stems from the fact that update operations accept the match field through nested host attributes without re-validating authorization against the new target. An attacker with host-edit permission on any single host can update the match value to point at a host they do not own. Foreman then applies the override to the new target during subsequent configuration runs. This maps to Authorization Bypass Through User-Controlled Key [CWE-639].
The consequence is integrity loss for hosts across organization and location boundaries, which is reflected in the CVSS integrity impact rating. Confidentiality and availability are not directly affected, but injected parameter values may alter service behavior, disable controls, or redirect provisioning steps on the victim host.
Root Cause
Foreman's authorization layer checks the original match reference during override creation but omits an equivalent check when the reference is mutated through nested attributes on update. The controller trusts the client-supplied identifier rather than re-resolving permissions against the new host.
Attack Vector
An attacker authenticates to Foreman with a low-privilege account that includes host-edit on at least one host. They submit an API request that updates an existing lookup value override, replacing the match field with an identifier for a host in another organization or location. Foreman accepts the change, and the override applies during the next configuration compilation on the target host.
Exploitation code is not publicly available. Refer to the Red Hat CVE-2026-5135 Description and Red Hat Bugzilla Report #2452230 for vendor technical detail.
Detection Methods for CVE-2026-5135
Indicators of Compromise
- API PUT or PATCH requests to /api/lookup_values or nested host endpoints that modify a match attribute to reference hosts outside the caller's organization or location.
- Audit log entries showing lookup value override updates authored by users lacking direct permissions on the referenced host.
- Unexpected Puppet or Ansible parameter values applied to hosts during configuration runs.
Detection Strategies
- Parse Foreman audit logs for LookupValue update events and correlate the match field before and after the change against the actor's permitted host set.
- Alert on API requests where the authenticated user's organization or location does not include the host referenced in the new match value.
- Baseline the frequency of override modifications per user account and flag deviations that touch multiple hosts across tenants.
Monitoring Recommendations
- Forward Foreman production.log and audit tables to a centralized log platform for cross-tenant correlation.
- Track configuration drift on managed hosts using Puppet or Ansible reporting to catch unauthorized parameter changes.
- Review role assignments periodically to ensure host-edit is scoped narrowly and not granted platform-wide.
How to Mitigate CVE-2026-5135
Immediate Actions Required
- Apply the Red Hat Satellite updates delivered in RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34367, and RHSA-2026:34368 as soon as they are available for your channel.
- Audit existing lookup value overrides and validate that the match field on each record aligns with the intended host and tenant.
- Review recent audit log entries for LookupValue update actions and reconcile them against expected administrative activity.
Patch Information
Red Hat has published errata RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34367, and RHSA-2026:34368 for supported Satellite releases. Upstream Foreman consumers should track the project's release notes for the corresponding fix that reintroduces authorization checks on the match field during nested attribute updates.
Workarounds
- Restrict host-edit and lookup value permissions to trusted administrators until patches are deployed.
- Disable API access for low-privilege user accounts that do not require programmatic access to Foreman.
- Segment sensitive hosts into dedicated Foreman instances if multi-tenant isolation is a critical requirement and patching must be deferred.
# Configuration example
# Review lookup value overrides and identify any recent changes to the match field
hammer settings list --search 'name ~ audit'
hammer --output csv lookup-value list --smart-variable <variable-name>
# Inspect Foreman audit records for LookupValue updates in the last 30 days
sudo -u postgres psql foreman -c \
"SELECT id, user_id, auditable_type, auditable_id, audited_changes, created_at \
FROM audits \
WHERE auditable_type = 'LookupValue' \
AND action = 'update' \
AND created_at > now() - interval '30 days' \
ORDER BY created_at DESC;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

