Skip to content

Fixes #39478 - CVE-2026-5136: Privilege escalation via usergroup role assignment#11065

Merged
Odilhao merged 3 commits into
theforeman:3.19-stablefrom
ogajduse:cve-2026-5136/3.19-stable
Jul 1, 2026
Merged

Fixes #39478 - CVE-2026-5136: Privilege escalation via usergroup role assignment#11065
Odilhao merged 3 commits into
theforeman:3.19-stablefrom
ogajduse:cve-2026-5136/3.19-stable

Conversation

@ogajduse

@ogajduse ogajduse commented Jul 1, 2026

Copy link
Copy Markdown
Member

CVE-2026-5136

Privilege escalation via usergroup role assignment manipulation.

The Usergroup model does not validate whether the calling user is permitted to assign the specified roles. A user with create_usergroups or edit_usergroups permission can attach arbitrary roles to a usergroup via the API, add themselves as a member, and inherit elevated privileges.

@pr-processor pr-processor Bot added Not yet reviewed Stable branch PRs that are opened against a stable branch. Usually a cherry pick labels Jul 1, 2026
Lukshio and others added 3 commits July 1, 2026 18:09
A user who is a member of a usergroup can add a role granting
escalate_roles to that usergroup, bypassing the privilege escalation
check. The role assignment is cached before the validation runs, so
can_escalate? sees the newly granted permission and allows it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a user is a member of a usergroup and edits its roles, the
role_ids= setter immediately persists UserRole records and populates
the CachedUserRole cache. By the time the ensure_roles_not_escalated
validation runs, can_escalate? sees the freshly cached permission and
allows the assignment — letting the user grant themselves
escalate_roles through the group.

Fix by excluding CachedUserRole entries for the newly added roles on
the edited usergroup when checking escalation capability. Pre-existing
roles on the same usergroup (including a legitimate escalate_roles
grant) are still honored.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ogajduse ogajduse force-pushed the cve-2026-5136/3.19-stable branch from 62affa8 to 2baf387 Compare July 1, 2026 16:09
@Odilhao Odilhao merged commit 18036e1 into theforeman:3.19-stable Jul 1, 2026
21 of 23 checks passed
@ogajduse ogajduse deleted the cve-2026-5136/3.19-stable branch July 1, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Stable branch PRs that are opened against a stable branch. Usually a cherry pick

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

4 participants