PT-2026-54786 · Foreman · Foreman
Stanislav Fot
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-5136
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Foreman (affected versions not specified)
satellite-capsule:el8/foreman (affected versions not specified)
Description
The Usergroup model fails to properly validate role assignments against the permissions of the calling user. This improper authorization occurs within the usergroup management component, where broken permission checks allow an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative ones, to a user group and subsequently add themselves as a member. This leads to full privilege escalation, granting administrator-level access and potentially enabling a complete takeover of managed infrastructure and sensitive data.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
LPE
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Foreman