PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5136 Red Hat CVE debrief

A flaw was found in Foreman's Usergroup model, which does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation leads to full privilege escalation, granting the attacker administrator-level access. The vulnerability affects Foreman and can be exploited by an authenticated user. The vulnerability has a high impact on the system.

Vendor
Red Hat
Product
Red Hat Satellite 6.16 for RHEL 8
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-01
Original CVE updated
2026-07-09
Advisory published
2026-07-01
Advisory updated
2026-07-09

Who should care

Users of Foreman, particularly those with administrative roles or usergroup management permissions, should be aware of this vulnerability and take immediate action to mitigate the risk. System administrators and security teams should review the CVE record and NVD entry for more information. Affected users should apply vendor patches or updates as soon as possible. Users with usergroup management permissions should be cautious when assigning roles to user groups.

Technical summary

The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. An authenticated user with usergroup management permissions can attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. This leads to full privilege escalation. The vulnerability is caused by a lack of proper validation in the Usergroup model. The affected product is Foreman. The vulnerability has a high impact on confidentiality, integrity, and availability.

Defensive priority

High

Recommended defensive actions

  • Review and restrict usergroup management permissions
  • Monitor user group changes and role assignments
  • Implement compensating controls to limit privilege escalation
  • Apply vendor patches or updates
  • Conduct inventory checks for affected systems
  • Track exceptions and retest remediated assets
  • Review relevant monitoring, detection, and logs for exposed assets

Evidence notes

The CVE record was published on 2026-07-01T14:16:47.277Z and was last modified on 2026-07-09T02:39:36.490Z. The NVD entry is currently Analyzed. This information is based on the NVD entry and the CVE record. The vulnerability affects Foreman's Usergroup model. The CVE record and NVD entry provide details on the vulnerability. Users should verify the affected versions and configurations. The evidence is limited to public sources and may not be comprehensive.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T14:16:47.277Z and has not been modified since then. The NVD entry is currently Analyzed.