Home

Description

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.

PUBLISHED Reserved 2026-06-17 | Published 2026-06-17 | Updated 2026-06-18 | Assigner redhat




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Missing Authorization

Product status

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-06-17:Reported to Red Hat.
2026-06-17:Made public.

References

access.redhat.com/security/cve/CVE-2026-12515 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2489812 (RHBZ#2489812) issue-tracking

github.com/Katello/katello/pull/11712

cve.org (CVE-2026-12515)

nvd.nist.gov (CVE-2026-12515)

Download JSON