CVE-2026-5142 in Satelliteinfo

Summary

by MITRE • 07/01/2026

A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability exists within the foreman management platform where authenticated users possessing the 'view_keypairs' permission can exploit a privilege escalation flaw to bypass taxonomy scoping mechanisms. The technical implementation allows these users to directly query key pair identifiers through API endpoints or direct database access, circumventing the intended organizational boundaries that should restrict access to resources within specific taxonomies or organizational units. This represents a critical authorization bypass vulnerability that fundamentally undermines the multi-tenant security model of the platform.

The flaw stems from insufficient input validation and access control enforcement within the key pair retrieval mechanisms. When users with 'view_keypairs' permission attempt to access SSH key information, the system fails to properly verify whether the requesting user has legitimate access to the specific key pair they are attempting to retrieve. This weakness enables unauthorized cross-tenant data exposure where users can enumerate and download private SSH keys belonging to other organizations within the same foreman deployment. The vulnerability is particularly concerning because it allows for direct exploitation without requiring additional privileges or complex attack chains.

The operational impact of this vulnerability extends beyond simple data exposure to encompass significant security implications for multi-tenant deployments. Organizations utilizing foreman for managing infrastructure across multiple clients or departments face potential compromise of their entire cloud environment when private SSH keys are accessible across tenant boundaries. Attackers could potentially gain unauthorized access to systems belonging to other organizations, escalate privileges within the target environment, and execute lateral movement attacks. This vulnerability directly violates the principle of least privilege and can lead to widespread data breaches affecting multiple tenants simultaneously.

Mitigation strategies should focus on implementing robust access control measures that enforce strict taxonomy scoping for all key pair operations. Organizations must ensure that API endpoints and database queries properly validate user permissions against organizational boundaries before returning any key pair information. The implementation should include mandatory authorization checks that verify the requesting user's access rights to specific taxonomies or organizational units before allowing retrieval of SSH key data. Additionally, logging and monitoring systems should be enhanced to detect unauthorized access attempts to key pairs across tenant boundaries. This vulnerability aligns with CWE-285, which addresses improper authorization in software applications, and maps to ATT&CK technique T1566 for credential access through exploitation of weak permissions.

Responsible

Redhat

Reservation

03/30/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!