VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 17, 2026· Updated Mar 26, 2026

Rubygem-katello: katello: denial of service and potential information disclosure via sql injection

CVE-2026-4324

Description

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sort_by parameter of the /api/hosts/bootc_images API endpoint. This can lead to a Denial of Service (DoS) by triggering database errors, and potentially enable Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper input sanitization in Katello's sort_by parameter allows SQL injection, leading to DoS and potential data extraction.

Vulnerability

Overview

CVE-2026-4324 is a SQL injection vulnerability found in the Katello plugin for Red Hat Satellite. The flaw originates from improper sanitization of user-provided input passed to the sort_by parameter of the /api/hosts/bootc_images API endpoint. The official description and the advisory [1][2] confirm that the input is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable API endpoint with malicious SQL code in the sort_by parameter. No authentication is required to reach the endpoint, though the advisory [3] notes that the attack is remote and does not require special privileges. The commit [4] shows the fix adds a sanitize_sort_column method to properly handle the parameter, indicating the lack of sanitization was the root cause.

Impact

Successful exploitation can lead to a remote attacker can cause a Denial of Service (DoS) by triggering database errors. Additionally, the vulnerability enables Boolean-based Blind SQL injection, which could allow an attacker to extract sensitive information from the database [1][2]. This could lead to unauthorized disclosure of data stored in the Satellite database.

Mitigation

Mitigation

Red Hat has released security updates for Red Hat Satellite as described in RHSA-2026:5970 and RHSA-2026:5968 [1][2]. The fix is also available in the upstream Katello repository [4]. Users are strongly advised to apply the updates immediately to protect their systems.

References
  1. https://access.redhat.com/errata/RHSA-2026:5970
  2. https://access.redhat.com/errata/RHSA-2026:5968
  3. cve-details
  4. fixes #39136 - Fix typos and sanitize order_by/sort_by params in host… · Katello/katello@a0a793b

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
katelloRubyGems
< 4.19.14.19.1

Affected products

5
  • Red Hat/Red Hat Satellite 6v5
    cpe:/a:redhat:satellite:6
  • Red Hat/Red Hat Satellite 6.17 for RHEL 9v5
    cpe:/a:redhat:satellite_capsule:6.17::el9
    Range: 0:0.0.3-4.el9sat
  • Red Hat/Red Hat Satellite 6.18 for RHEL 9v5
    cpe:/a:redhat:satellite_utils:6.18::el9
    Range: 0:4.18.0.9-1.el9sat
  • Red Hat/Satellitellm-fuzzy
  • Theforeman/Katellollm-fuzzy

Patches

1
a0a793b08d4f

fixes #39136 - Fix typos and sanitize order_by/sort_by params in host_bootc_images_controller (#11664)

https://github.com/Katello/katelloAiden FineMar 11, 2026via ghsa
commit
7 files changed · +28 22
  • app/controllers/katello/api/v2/host_bootc_images_controller.rb+7 1 modified
    @@ -10,7 +10,7 @@ class Api::V2::HostBootcImagesController < Api::V2::ApiController
     api :GET, "/hosts/bootc_images", N_("List booted bootc container images for hosts")
     param_group :search, Api::V2::ApiController
     def bootc_images
-      params[:sort_by] ||= 'bootc_booted_image'
+      params[:sort_by] = sanitize_sort_column(params[:sort_by])
       params[:sort_order] ||= 'asc'
       if params[:order]
         params[:order] = "#{params[:order].split(' ')[0]} #{sanitize_sort_order(params[:order].split(' ')[1])}"
@@ -38,6 +38,8 @@ def bootc_images
 
     private
 
+    SORTABLE_COLUMNS = %w[bootc_booted_image bootc_booted_digest host_count].freeze
+
     def sanitize_sort_order(sort_order)
       if sort_order.present? && ['asc', 'desc'].include?(sort_order.downcase)
         sort_order.downcase
@@ -46,6 +48,10 @@ def sanitize_sort_order(sort_order)
       end
     end
 
+    def sanitize_sort_column(sort_column)
+      SORTABLE_COLUMNS.include?(sort_column) ? sort_column : 'bootc_booted_image'
+    end
+
     def index_relation
       query = resource_class.authorized(:view_hosts).distinct
       query.joins(:content_facet).where.not(bootc_booted_image: nil, bootc_booted_digest: nil)
  • app/views/katello/api/v2/content_credentials/show.json.rabl+3 3 modified
    @@ -114,8 +114,8 @@ end
 
 node :permissions do |content_credential|
   {
-    :view_content_credenials => content_credential.readable?,
-    :edit_content_credenials => content_credential.editable?,
-    :destroy_content_credenials => content_credential.deletable?,
+    :view_content_credentials => content_credential.readable?,
+    :edit_content_credentials => content_credential.editable?,
+    :destroy_content_credentials => content_credential.deletable?,
   }
 end
  • engines/bastion_katello/test/content-credentials/content-credentials.factory.test.js+4 4 modified
    @@ -47,15 +47,15 @@ describe("Factory: ContentCredential", function() {
         ssl_key_products: [],
         ssl_key_root_repos: [],
         permissions: {
-          view_content_credenials: true,
-          edit_content_credenials: true,
-          destroy_content_credenials: true
+          view_content_credentials: true,
+          edit_content_credentials: true,
+          destroy_content_credentials: true
         }
       };
 
       contentCredentials = {
         records: [
-          contentCredential          
+          contentCredential
         ],
         total: 3,
         subtotal: 1
  • webpack/components/Bookmark/AddBookmarkModal.js+1 1 modified
    @@ -51,7 +51,7 @@ const AddBookmarkModal = ({ selectedItem, onClose, controller }) => {
         </FormGroup>
         <FormGroup label={__('Search Query')} isRequired fieldId="query">
           <TextInput
-            ouiaId="query-inout"
+            ouiaId="query-input"
             isRequired
             type="text"
             id="query"
  • webpack/scenes/AlternateContentSources/Create/__tests__/contentCredentials.fixtures.json+6 6 modified
    @@ -33,9 +33,9 @@
       "ssl_key_products": [],
       "ssl_key_root_repos": [],
       "permissions": {
-        "view_content_credenials": true,
-        "edit_content_credenials": true,
-        "destroy_content_credenials": true
+        "view_content_credentials": true,
+        "edit_content_credentials": true,
+        "destroy_content_credentials": true
       }
     },
     {
@@ -60,9 +60,9 @@
       "ssl_key_products": [],
       "ssl_key_root_repos": [],
       "permissions": {
-        "view_content_credenials": true,
-        "edit_content_credenials": true,
-        "destroy_content_credenials": true
+        "view_content_credentials": true,
+        "edit_content_credentials": true,
+        "destroy_content_credentials": true
       }
     }
   ]
  • webpack/scenes/ContainerImages/Booted/BootedContainerImagesPage.js+1 1 modified
    @@ -104,7 +104,7 @@ const BootedContainerImagesPage = () => {
     <TableIndexPage
       apiUrl={BOOTED_CONTAINER_IMAGES_API_PATH}
       apiOptions={apiOptions}
-      createable={false}
+      creatable={false}
       isDeleteable={false}
       controller="/katello/api/v2/host_bootc_images"
     >
  • webpack/scenes/ContentCredentials/__tests__/contentCredentials.fixtures.js+6 6 modified
    @@ -35,9 +35,9 @@ const contentCredentialsResponse = Immutable({
       ssl_key_products: [],
       ssl_key_root_repos: [],
       permissions: {
-        view_content_credenials: true,
-        edit_content_credenials: true,
-        destroy_content_credenials: true,
+        view_content_credentials: true,
+        edit_content_credentials: true,
+        destroy_content_credentials: true,
       },
     },
     {
@@ -62,9 +62,9 @@ const contentCredentialsResponse = Immutable({
       ssl_key_products: [],
       ssl_key_root_repos: [],
       permissions: {
-        view_content_credenials: true,
-        edit_content_credenials: true,
-        destroy_content_credenials: true,
+        view_content_credentials: true,
+        edit_content_credentials: true,
+        destroy_content_credentials: true,
       },
     },
   ],

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.