CVE-2026-5138 in Red Hat Satellite
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.
Quick answer
Red Hat Satellite should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Red Hat Satellite and Satellite Capsule 6.17, 6.18, and 6.19 before the July 2026 async updates
Fixed versions
- Apply the relevant Red Hat Satellite 6.17, 6.18, or 6.19 async update from RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34368, or later
How to fix it
CVE-2026-5138 affects Red Hat Satellite. Update Satellite or Capsule to the Red Hat async fix for your supported version. Limit admin access until the update is complete.
- Find every Red Hat Satellite and Capsule server.
- Check if it matches Red Hat Satellite and Satellite Capsule 6.17, 6.18, and 6.19 before the July 2026 async updates.
- Apply the vendor update: Apply the relevant Red Hat Satellite 6.17, 6.18, or 6.19 async update from RHSA-2026:34365, RHSA-2026:34366, RHSA-2026:34368, or later.
- Restart services if Red Hat tells you to do so.
- Review roles and permissions for users who can edit hosts.
- Check logs for unusual host, key pair, or taxonomy access.
- Rotate exposed keys or secrets if needed.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the Satellite packages show the updated Red Hat build.
- Test normal host edit and organization workflows.
- Confirm users cannot see data outside their scope.
- Run a new Fixnx scan after the update.
- Keep the RHSA advisory in the change ticket.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-5138?
Red Hat Satellite versions listed as affected should be reviewed: Red Hat Satellite and Satellite Capsule 6.17, 6.18, and 6.19 before the July 2026 async updates.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
