CVE-2026-1961

high

Red Hat

CVSS v3 Base Score

8.0

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Confidentiality

High

Integrity

High

Availability

High

Published: March 26, 2026 (49 days ago)

Last Modified: March 26, 2026

Vendor: Red Hat

Fix Available: ✓ Yes

Source: REDHAT

Description

A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.

Affected Products

Red Hat Satellite 6Red Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6.18 for RHEL 9

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov

CVE-2026-1961

Vulnerability Report

Description

Affected Products

Fix Status

References