VYPR
Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 24, 2026

Foreman: satellite: graphql api permission bypass leads to information disclosure

CVE-2025-9572

Description

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

6
  • Red Hat/Red Hat Satellite 6.15 for RHEL 8v5
    cpe:/a:redhat:satellite:6.15::el8
    Range: 0:6.15.5.7-1.el8sat
  • Red Hat/Red Hat Satellite 6.17 for RHEL 9v5
    cpe:/a:redhat:satellite_capsule:6.17::el9
    Range: 0:3.14.0.11-1.el9sat
  • Red Hat/Red Hat Satellite 6.18 for RHEL 9v5
    cpe:/a:redhat:satellite_capsule:6.18::el9
    Range: 0:6.18.1-1.el9sat
  • Red Hat/Red Hat Satellite 6.16 for RHEL 9v5
    cpe:/a:redhat:satellite_utils:6.16::el8
    Range: 0:6.16.5.6-1.el9sat
  • Theforeman/Foremanllm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: 1.22.0

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.