CVE-2026-1961 | THREATINT

Description

A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.

PUBLISHED Reserved 2026-02-05 | Published 2026-03-26 | Updated 2026-04-08 | Assigner redhat

HIGH: 8.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

affected

0:3.12.0.14-1.el8sat (rpm) before *

unaffected

Default status

affected

0:3.12.0.14-1.el9sat (rpm) before *

unaffected

Default status

affected

0:3.14.0.14-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.1.23-0.3.el9pc (rpm) before *

unaffected

Default status

affected

0:1.2.0-0.1.el9pc (rpm) before *

unaffected

Default status

affected

0:4.2.28-0.1.el9pc (rpm) before *

unaffected

Default status

affected

0:2.22.3-1.el9pc (rpm) before *

unaffected

Default status

affected

0:3.27.10-2.el9pc (rpm) before *

unaffected

Default status

affected

0:1.5.1-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.4.3-1.el9sat (rpm) before *

unaffected

Default status

affected

0:4.16.0.14-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.13.0-1.el9sat (rpm) before *

unaffected

Default status

affected

0:6.17.7-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.0.3-4.el9sat (rpm) before *

unaffected

Default status

affected

0:3.14.0.14-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.1.23-0.3.el9pc (rpm) before *

unaffected

Default status

affected

0:1.2.0-0.1.el9pc (rpm) before *

unaffected

Default status

affected

0:4.2.28-0.1.el9pc (rpm) before *

unaffected

Default status

affected

0:2.22.3-1.el9pc (rpm) before *

unaffected

Default status

affected

0:3.27.10-2.el9pc (rpm) before *

unaffected

Default status

affected

0:1.5.1-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.4.3-1.el9sat (rpm) before *

unaffected

Default status

affected

0:4.16.0.14-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.13.0-1.el9sat (rpm) before *

unaffected

Default status

affected

0:6.17.7-1.el9sat (rpm) before *

unaffected

Default status

affected

0:0.0.3-4.el9sat (rpm) before *

unaffected

Default status

affected

0:3.16.0.12-1.el9sat (rpm) before *

unaffected

Default status

affected

Timeline

2026-02-05:	Reported to Red Hat.
2026-03-26:	Made public.

Credits

Red Hat would like to thank Houssam Sahli for reporting this issue.

References

www.openwall.com/lists/oss-security/2026/03/27/3

access.redhat.com/errata/RHSA-2026:5968 (RHSA-2026:5968) vendor-advisory

access.redhat.com/errata/RHSA-2026:5970 (RHSA-2026:5970) vendor-advisory

access.redhat.com/errata/RHSA-2026:5971 (RHSA-2026:5971) vendor-advisory

access.redhat.com/security/cve/CVE-2026-1961 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2437036 (RHBZ#2437036) issue-tracking

cve.org (CVE-2026-1961)

nvd.nist.gov (CVE-2026-1961)

Download JSON