Skip to main content
CVE Vulnerability Database

CVE-2026-5138: Foreman Information Disclosure Vulnerability

CVE-2026-5138 is an information disclosure vulnerability in Foreman that enables cross-tenant data leaks. Attackers with host-edit permissions can access sensitive infrastructure metadata. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-5138 Overview

CVE-2026-5138 is a cross-tenant information disclosure vulnerability in Foreman, a lifecycle management tool for physical and virtual servers. An authenticated user holding host-edit permissions can bypass tenant isolation and read infrastructure metadata belonging to organizations and locations they are not authorized to access. The flaw resides in the taxonomy_scope controller method, which fails to validate organization and location identifiers supplied through nested request parameters. Exploitation exposes subnet topology, IP ranges, gateways, DNS servers, and VLAN identifiers across tenant boundaries. The issue is tracked under [CWE-639: Authorization Bypass Through User-Controlled Key].

Critical Impact

Authenticated tenants can enumerate sensitive network topology data from other organizations, undermining multi-tenant isolation guarantees in Foreman deployments.

Affected Products

  • Red Hat Satellite (Foreman-based distributions)
  • Foreman upstream project
  • Red Hat products referenced in advisories RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34367, and RHSA-2026:34368

Discovery Timeline

  • 2026-07-01 - CVE-2026-5138 published to the National Vulnerability Database
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-5138

Vulnerability Analysis

Foreman enforces multi-tenancy through taxonomies that partition resources by organization and location. The taxonomy_scope controller method applies these constraints when serving host and infrastructure queries. When request payloads embed organization and location IDs inside nested parameters, the controller consumes those identifiers without re-validating them against the caller's authorized taxonomy set. An attacker with a legitimate host-edit role in one tenant can therefore substitute foreign taxonomy IDs in the nested payload and receive scoped data from tenants they should not see.

The leaked fields include subnet definitions, IP address ranges, default gateways, DNS server assignments, and VLAN IDs. This information supports lateral reconnaissance, network mapping, and targeted follow-on attacks against adjacent tenants sharing the same Foreman instance.

Root Cause

The root cause is inconsistent authorization enforcement in the taxonomy_scope method. Top-level authorization checks approve the request based on the user's assigned organization and location, but nested parameters carrying alternate IDs are trusted implicitly. This creates a classic insecure direct object reference where a user-controlled key selects data outside the intended authorization boundary.

Attack Vector

Exploitation requires network access to the Foreman web interface or API and a valid account with host-edit privileges. The attacker crafts an API request in which nested organization_id and location_id parameters point to a foreign tenant. Foreman returns metadata scoped to the attacker-supplied taxonomy rather than the authenticated user's assigned taxonomy. No user interaction is required beyond the attacker's own authenticated session. See the Red Hat CVE Analysis for CVE-2026-5138 for further technical details.

Detection Methods for CVE-2026-5138

Indicators of Compromise

  • API or web requests containing nested organization_id or location_id parameters that differ from the authenticated user's assigned taxonomies.
  • Access log entries showing repeated enumeration of taxonomy IDs against taxonomy_scope-backed endpoints.
  • Unusual read volume of subnet, domain, or VLAN resources by non-administrative accounts holding only host-edit permissions.

Detection Strategies

  • Compare taxonomy IDs in request payloads against the authenticated user's authorized organization and location memberships and alert on mismatches.
  • Audit Foreman production.log and access.log entries for requests referencing taxonomy IDs the caller does not own.
  • Correlate host-edit role assignments with sensitive network metadata queries to surface abuse of least-privileged accounts.

Monitoring Recommendations

  • Forward Foreman application and audit logs to a centralized analytics platform for cross-tenant query inspection.
  • Baseline expected taxonomy access patterns per role and alert on deviations.
  • Track API error rates and 200-response volumes on subnet, domain, and hostgroup endpoints to identify enumeration attempts.

How to Mitigate CVE-2026-5138

Immediate Actions Required

Patch Information

Red Hat has published fixes across multiple advisories. Administrators should consult the Red Hat Bug Report #2452971 and apply the vendor package updates that correct the taxonomy_scope authorization logic so nested taxonomy identifiers are validated against the caller's authorized set.

Workarounds

  • Restrict host-edit role assignments to trusted administrators until patching completes.
  • Isolate tenants across separate Foreman instances where cross-tenant confidentiality is required.
  • Place the Foreman API behind a reverse proxy that inspects and rejects requests with unexpected nested taxonomy parameters.
bash
# Configuration example: identify accounts with host-edit permissions for review
foreman-rake console <<'RUBY'
Role.joins(:filters).where(filters: { permissions: Permission.where(name: 'edit_hosts') }).
  distinct.each { |r| puts "Role: #{r.name} -> Users: #{r.users.pluck(:login).join(', ')}" }
RUBY

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.