CVE-2026-5138
Received Received - Intake

Cross-Tenant Information Disclosure in Foreman

Vulnerability report for CVE-2026-5138, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Red Hat, Inc.

Description

A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat foreman *
red_hat foreman to 3.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-5138 is a security vulnerability in Foreman, a lifecycle management tool for physical and virtual servers. The flaw exists because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, which allows bypassing existing authorization checks.

An authenticated user with host-edit permissions can exploit this vulnerability to access sensitive infrastructure metadata belonging to organizations or locations they are not authorized to access.

  • The sensitive information that can be leaked includes subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs.

To exploit this issue, an attacker needs a valid Foreman account with create_hosts, edit_hosts, or equivalent hostgroup permissions in at least one organization and crafts an HTTP request with a valid organization ID at the top level and a foreign organization ID nested within the parameters.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive infrastructure metadata from organizations or locations that the attacker is not authorized to access.

  • Exposure of subnet topology could reveal network structure details.
  • Leaking IP ranges, gateways, DNS servers, and VLAN IDs could aid attackers in planning further attacks or gaining unauthorized network access.

Overall, this information disclosure could compromise the confidentiality of network infrastructure details, potentially leading to increased risk of targeted attacks or data breaches.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Foreman server for suspicious nested parameters that include organization or location IDs not authorized for the authenticated user.

Specifically, an attacker crafts HTTP requests with a valid top-level organization ID but includes foreign organization IDs nested within the parameters to bypass authorization checks.

To detect exploitation attempts, you can analyze web server logs or use network monitoring tools to filter for requests to the taxonomy_scope controller method containing nested parameters with organization or location IDs.

  • Use tools like grep or similar to search Foreman access logs for suspicious nested parameters, e.g.:
  • grep -E 'organization_id=.*&.*nested.*organization_id=' /var/log/foreman/access.log
  • Use HTTP request inspection tools or proxies (e.g., Wireshark, tcpdump, or Burp Suite) to capture and analyze requests for unusual nested organization or location IDs.
Mitigation Strategies

Immediate mitigation steps include restricting host-edit permissions to only trusted users, as exploitation requires authenticated users with such permissions.

Additionally, monitor and audit user activities involving organization and location IDs to detect any unauthorized access attempts.

Apply any available patches or updates from the Foreman project or your Linux distribution that address this vulnerability as soon as they are released.

If patches are not yet available, consider implementing additional access controls or request validation mechanisms to ensure organization and location IDs in nested parameters are properly validated.

Compliance Impact

This vulnerability allows an authenticated user with host-edit permissions to bypass authorization checks and access sensitive infrastructure metadata from organizations and locations they are not authorized to access.

Such unauthorized disclosure of sensitive information could potentially lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to sensitive data and protection against unauthorized disclosure.

However, the provided information does not explicitly mention the impact on compliance with these or other specific regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart