CVE-2026-5142 Overview
CVE-2026-5142 is an authorization flaw in Foreman that allows authenticated users to bypass taxonomy scoping and read private SSH (Secure Shell) keys belonging to other organizations. Users holding the view_keypairs permission can directly query key pair identifiers to retrieve sensitive credentials outside their assigned tenant boundary. The weakness is classified as [CWE-639] Authorization Bypass Through User-Controlled Key, an insecure direct object reference pattern. In multi-tenant Foreman deployments, this enables cross-tenant data exposure of credentials used to access managed hosts.
Critical Impact
Authenticated tenants can download private SSH keys from unrelated organizations, undermining tenant isolation and enabling lateral access to managed infrastructure.
Affected Products
- Red Hat Satellite (Foreman-based) — see Red Hat CVE Analysis CVE-2026-5142
- Foreman project deployments configured with multi-organization taxonomies
- Products covered by Red Hat advisories RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34367, and RHSA-2026:34368
Discovery Timeline
- 2026-07-01 - CVE-2026-5142 published to the National Vulnerability Database (NVD)
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-5142
Vulnerability Analysis
Foreman uses taxonomies, primarily organizations and locations, to segment resources between tenants. The key pair endpoint enforces the view_keypairs role permission but fails to intersect that check with the caller's taxonomy scope. An authenticated user with the permission in any organization can request an arbitrary key pair ID and receive the record, including the private SSH key. This exposes credentials that Foreman uses to provision and manage compute resources across cloud and virtualization providers. Attackers who obtain these keys can pivot to the underlying hosts, potentially compromising workloads that belong to other tenants sharing the same Foreman instance.
Root Cause
The issue is an insecure direct object reference [CWE-639]. The controller resolves a key pair record by its identifier without applying the current user's organization and location filters. Role-based permission checks confirm the action is allowed in principle but do not restrict the row set to the caller's taxonomy, so any valid view_keypairs grant is treated as global.
Attack Vector
Exploitation requires network access to the Foreman web interface or API and a valid authenticated session with view_keypairs. The attacker iterates through numeric key pair identifiers and issues GET requests to the key pair resource endpoint. Each successful response returns the private key material in the payload, regardless of the owning organization. No user interaction is required beyond the attacker's own authenticated session.
Because no verified proof-of-concept has been published, refer to the Red Hat Bug Report #2452999 for reproduction details.
Detection Methods for CVE-2026-5142
Indicators of Compromise
- Authenticated API requests to key pair endpoints (for example /api/compute_resources/*/available_images and /api/key_pairs) that return records outside the caller's organization scope.
- Sequential or enumerating GET requests against key pair IDs originating from a single user session.
- Unexpected downloads of private SSH key material by accounts that do not administer the target compute resources.
Detection Strategies
- Correlate Foreman production.log and audit log entries against the requesting user's taxonomy assignments to surface cross-tenant reads.
- Alert on any user account that accesses key pair records associated with more than one organization within a short window.
- Track HTTP 200 responses to key pair endpoints where the response body contains PEM-encoded private key headers.
Monitoring Recommendations
- Forward Foreman application and audit logs to a centralized SIEM and normalize on user, organization, and resource ID fields.
- Baseline normal key pair access patterns per role, then alert on deviations such as bulk enumeration.
- Review role assignments for view_keypairs and reduce the number of users holding that permission.
How to Mitigate CVE-2026-5142
Immediate Actions Required
- Apply the Red Hat Satellite updates delivered in RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34367, and RHSA-2026:34368.
- Rotate all SSH key pairs stored in Foreman and update the corresponding authorized keys on managed hosts and compute resources.
- Audit historical access logs for previous cross-tenant reads of key pair records.
Patch Information
Red Hat has shipped fixes across multiple Satellite streams. Consult the Red Hat CVE Analysis CVE-2026-5142 page for the mapping between product versions and errata, then apply the update matching your deployment channel.
Workarounds
- Restrict the view_keypairs permission to a minimal set of administrators until patches are deployed.
- Remove or unassign roles granting key pair visibility from standard tenant users and review custom roles for inherited permissions.
- Where feasible, temporarily disconnect shared compute resources that rely on Foreman-managed SSH keys and manage them out of band.
# Example: list users granted a role that includes view_keypairs
hammer user list --search 'role = "Compute Resources Manager"'
# Remove the role from a non-admin account pending patch deployment
hammer user remove-role --login <username> --role "Compute Resources Manager"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

