CVE-2026-5135
Received Received - Intake

Broken Access Control in Foreman Allows Host Configuration Tampering

Vulnerability report for CVE-2026-5135, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Red Hat, Inc.

Description

A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorisation checks. The consequence is the potential for unauthorised modification of managed host configurations across different organisational and location boundaries.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat foreman *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with host-edit permissions to bypass authorization checks and modify managed host configurations across different organizational and location boundaries.

Such unauthorized modifications could potentially lead to violations of compliance requirements under standards like GDPR or HIPAA, which mandate strict access controls and protection of sensitive data and system configurations.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

CVE-2026-5135 is a broken access control vulnerability in Foreman, a lifecycle management tool. It allows an authenticated user who has host-edit permissions to retarget an existing lookup value override to a different host by modifying the match field through nested host attributes. This bypasses authorization checks and enables unauthorized modification of managed host configurations across different organizational and location boundaries.

The exploit requires two steps: first, the attacker creates a legitimate override on their own host, then redirects it to the victim host's fully qualified domain name (FQDN). This attack depends on the presence of a lookup key containing "fqdn" in its path.

Impact Analysis

This vulnerability can lead to unauthorized changes in managed host configurations across different organizational boundaries. An attacker with host-edit permissions can modify configurations of hosts they should not have access to, potentially causing misconfigurations, security policy violations, or operational disruptions.

Detection Guidance

Detection of this vulnerability involves verifying if an authenticated user with host-edit permissions has created or modified lookup value overrides that redirect to hosts other than their own. Specifically, look for overrides where the match field has been altered via nested host attributes to point to a different host's fully qualified domain name (FQDN).

Since the exploit requires an authenticated Foreman account with edit rights and involves lookup keys containing "fqdn" in their path, inspecting the Foreman database or configuration for unusual or unauthorized lookup value overrides related to FQDNs can help detect exploitation attempts.

While no specific commands are provided in the resources, administrators can use Foreman's API or database queries to list lookup value overrides and verify their match fields. For example, querying the Foreman database for lookup overrides with 'fqdn' in their match field or using Foreman's CLI/API to audit recent changes by users with host-edit permissions may help identify suspicious activity.

Mitigation Strategies

Immediate mitigation steps include restricting host-edit permissions to only trusted users, as the vulnerability requires authenticated users with such permissions to exploit it.

Additionally, review and audit existing lookup value overrides, especially those involving 'fqdn' in their match fields, to ensure they have not been tampered with or redirected to unauthorized hosts.

Applying any available patches or updates from Foreman or Red Hat addressing this vulnerability should be prioritized once released, as the target fix deadline was April 15, 2026.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart