PT-2026-54786 · Foreman · Foreman

Stanislav Fot

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-5136

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Foreman (affected versions not specified) satellite-capsule:el8/foreman (affected versions not specified)
Description The Usergroup model fails to properly validate role assignments against the permissions of the calling user. This improper authorization occurs within the usergroup management component, where broken permission checks allow an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative ones, to a user group and subsequently add themselves as a member. This leads to full privilege escalation, granting administrator-level access and potentially enabling a complete takeover of managed infrastructure and sensitive data.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5136
RHSA-2026:34365
RHSA-2026:34366
RHSA-2026:34368

Affected Products

Foreman