Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 24, 2026

Foreman: satellite: graphql api permission bypass leads to information disclosure

CVE-2025-9572

Description

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.

Affected products

Red Hat/Red Hat Satellite 6.15 for RHEL 8v5
cpe:/a:redhat:satellite:6.15::el8
Range: 0:6.15.5.7-1.el8sat
Red Hat/Red Hat Satellite 6.17 for RHEL 9v5
cpe:/a:redhat:satellite_capsule:6.17::el9
Range: 0:3.14.0.11-1.el9sat
Red Hat/Red Hat Satellite 6.18 for RHEL 9v5
cpe:/a:redhat:satellite_capsule:6.18::el9
Range: 0:6.18.1-1.el9sat
Red Hat/Red Hat Satellite 6.16 for RHEL 9v5
cpe:/a:redhat:satellite_utils:6.16::el8
Range: 0:6.16.5.6-1.el9sat
Theforeman/Foremanv5
Range: 1.22.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2025:21886mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2025:21893mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2025:21894mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2025:21897mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/security/cve/CVE-2025-9572mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
theforeman.org/security.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000