High severity8.1NVD Advisory· Published Feb 2, 2026· Updated Apr 15, 2026
CVE-2026-1531
CVE-2026-1531
Description
A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
foreman_kubevirtRubyGems | < 0.4.3 | 0.4.3 |
Affected products
1Patches
16c9973ee59c6default to verify SSL when talking to KubeVirt
3 files changed · +3 −3
app/models/foreman_kubevirt/kubevirt.rb+1 −1 modified@@ -344,7 +344,7 @@ def client :kubevirt_namespace => namespace, :kubevirt_token => token, :kubevirt_log => logger, - :kubevirt_verify_ssl => ca_cert.present?, + :kubevirt_verify_ssl => true, :kubevirt_ca_cert => ca_cert, :kubevirt_version => "v1alpha3" )
app/views/compute_resources/form/_kubevirt.html.erb+1 −1 modified@@ -9,7 +9,7 @@ %> <%= textarea_f f, :ca_cert, :label => _("X509 Certification Authorities"), - :placeholder => _("Optionally provide a CA, or a correctly ordered CA chain or a path to a file. If left blank - insecure.") %> + :placeholder => _("Optionally provide a CA, or a correctly ordered CA chain or a path to a file.") %> <div class="col-md-offset-2"> <%= test_connection_button_f(f, f.object.connection_valid?) %>
foreman_kubevirt.gemspec+1 −1 modified@@ -15,5 +15,5 @@ Gem::Specification.new do |s| s.required_ruby_version = '>= 2.5', '< 4.0' - s.add_dependency('fog-kubevirt', '>= 1.3.3', '< 2') + s.add_dependency('fog-kubevirt', '>= 1.5.1', '< 2') end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-2qxw-7fmx-gqfmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1531ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:5968nvdWEB
- access.redhat.com/errata/RHSA-2026:5970nvdWEB
- access.redhat.com/errata/RHSA-2026:5971nvdWEB
- access.redhat.com/security/cve/CVE-2026-1531nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/foreman_kubevirt/CVE-2026-1531.ymlghsaWEB
- github.com/theforeman/foreman_kubevirt/commit/6c9973ee59c6fbec65f165eb9ea9dd4ebb6eeef1ghsaWEB
News mentions
0No linked articles in our index yet.