High severityNVD Advisory· Published Feb 27, 2026· Updated Mar 26, 2026

Rubyipmi: red hat satellite: remote code execution in rubyipmi via malicious bmc username

CVE-2026-0980

Description

A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A flaw in rubyipmi used in Red Hat Satellite allows authenticated users with host creation permissions to achieve RCE via a crafted BMC username.

Summary

A flaw in the rubyipmi gem, used in Red Hat Satellite's BMC component, allows an authenticated attacker with host creation or update permissions to cause remote code execution (RCE) by supplying a crafted username for the BMC interface. [4]

Root

Cause The vulnerability arises from improper input validation within the rubyipmi gem when processing usernames for BMC interfaces. The BMC component in Red Hat Satellite uses this gem to manage Baseboard Management Controllers. The lack of sanitization allows injection of malicious commands through the username field. [4]

Exploitation

An attacker must have valid credentials on Red Hat Satellite and host creation or update permissions. Exploitation involves crafting a malicious username that, when processed by rubyipmi, leads to command injection. The attack does not require physical access; it can be performed remotely through the Satellite web interface or API. [4]

Impact

Successful exploitation grants the attacker remote code execution on the system hosting the BMC interface. This can lead to full compromise of the management network and potentially adjacent systems. Given the critical role of BMCs, this vulnerability poses a significant risk to infrastructure management. [4]

Mitigation

Red Hat has released security updates to address this vulnerability in the rubyipmi gem. Administrators should apply the relevant patches (e.g., RHSA-2026:5971, RHSA-2026:5970, RHSA-2026:5968) as soon as possible. No workarounds have been published; updating the gem is the recommended course of action. [1][2][3]

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rubyipmiRubyGems	< 0.13.0	0.13.0

Affected products

Red Hat/Red Hat Satellite 6v5
cpe:/a:redhat:satellite:6
Red Hat/Red Hat Satellite 6.16 for RHEL 9v5
cpe:/a:redhat:satellite:6.16::el8
Range: 0:0.13.0-0.1.el9sat
Red Hat/Red Hat Satellite 6.18 for RHEL 9v5
cpe:/a:redhat:satellite:6.18::el9
Range: 0:0.13.0-1.el9sat
Red Hat/Red Hat Satellite 6.17 for RHEL 9v5
cpe:/a:redhat:satellite_maintenance:6.17::el9
Range: 0:0.0.3-4.el9sat
rubyipmi/rubyipmillm-create

Patches

252503a7b4dc

pass cmd and args individually to Open3.capture3 to disable shell usage

https://github.com/logicminds/rubyipmiEvgeni GolovJan 9, 2026via ghsa

commit

5 files changed · +12 −16

lib/rubyipmi/commands/basecommand.rb+1 −1 modified

@@ -66,7 +66,7 @@ def run
       logger.debug(makecommand) if logger
       begin
         command = makecommand
-        @lastcall = command.to_s
+        @lastcall = command
         @result, @result_err, status = Rubyipmi.capture3(command)
         # sometimes the command tool does not return the correct result, validate it with additional code
         process_status = validate_status(status)

lib/rubyipmi/freeipmi/commands/basecommand.rb+2 −2 modified

@@ -25,9 +25,9 @@ def makecommand
         else
           "--#{k}=#{v}"
         end
-      end.join(" ")
+      end
 
-      "#{cmd} #{args.rstrip}"
+      [cmd] + args.compact
     end
 
     # This method will check if the results are really valid as the exit code can be misleading and incorrect

lib/rubyipmi/ipmitool/commands/basecommand.rb+4 −4 modified

@@ -15,19 +15,19 @@ def max_retry_count
     end
 
     def makecommand
-      args = ''
+      args = []
       # need to format the options to ipmitool format
       @options.each do |k, v|
         # must remove from command line as its handled via conf file
         next if k == "P"
         next if k == "cmdargs"
-        args << " -#{k} #{v}"
+        args += ["-#{k}", v]
       end
 
       # since ipmitool requires commands to be in specific order
-      args << ' ' + options.fetch('cmdargs', '')
+      args += options.fetch('cmdargs', '').split
 
-      "#{cmd} #{args.lstrip}"
+      [cmd] + args.compact
     end
 
     # The findfix method acts like a recursive method and applies fixes defined in the errorcodes

lib/rubyipmi.rb+1 −1 modified

@@ -147,7 +147,7 @@ def self.supported_privilege_type?(type)
 
   # test-friendly capture3
   def self.capture3(cmd)
-    return Open3.capture3(cmd)
+    return Open3.capture3(*cmd)
   end
 
   # method used to find the command which also makes it easier to mock with

spec/spec_helper.rb+4 −8 modified

@@ -19,21 +19,17 @@ def command_is_eql?(source, expected)
 
 def verify_freeipmi_command(cmdobj, exp_args_count, expcmd)
   actual = cmdobj.lastcall
-  actual.scan(/(^#{Regexp.escape(expcmd)})/) do |cmd_match|
-    expect(cmd_match.first).to eq(expcmd)
-  end
-  args_match = actual.scan(/(\-{2}[\w-]*=?[-\w\/]*)/)
+  expect(actual.first).to eq(expcmd)
+  args_match = actual.select { |arg| arg.match?(/^(-{2}[\w-]*=?[-\w\/]*)/) }
   # not sure how to exactly test for arguments since they could vary, so we will need to use count for now
   # args_match.should =~ exp_args
   expect(args_match.count).to eq(exp_args_count)
 end
 
 def verify_ipmitool_command(cmdobj, exp_args_count, expcmd, required_args)
   actual = cmdobj.lastcall
-  actual.scan(/(^#{Regexp.escape(expcmd)})/) do |cmd_match|
-    expect(cmd_match.first).to eq(expcmd)
-  end
-  args_match = actual.scan(/(-\w\s[\w\d\S]*)/)
+  expect(actual.first).to eq(expcmd)
+  args_match = actual.select { |arg| arg.match?(/^(-\w)/) }
   expect(actual.include?(required_args)).to eq true
   # not sure how to exactly test for arguments since they could vary, so we will need to use count for now
   # args_match.should =~ exp_args

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2026:5968ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2026:5970ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2026:5971ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-hfcp-477w-3wjwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-0980ghsaADVISORY
access.redhat.com/security/cve/CVE-2026-0980ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/logicminds/rubyipmi/commit/252503a7b4dca68388165883b0322024e344a215ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyipmi/CVE-2026-0980.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000