Skip to content

Fixes #39481 - CVE-2026-5138: Information disclosure via nested request parameters#11074

Merged
ogajduse merged 1 commit into
theforeman:3.19-stablefrom
ogajduse:cve-2026-5138/3.19-stable
Jul 1, 2026
Merged

Fixes #39481 - CVE-2026-5138: Information disclosure via nested request parameters#11074
ogajduse merged 1 commit into
theforeman:3.19-stablefrom
ogajduse:cve-2026-5138/3.19-stable

Conversation

@ogajduse

@ogajduse ogajduse commented Jul 1, 2026

Copy link
Copy Markdown
Member

CVE-2026-5138

Information disclosure via improper validation of nested request parameters.

The taxonomy_scope controller method loads organization and location IDs from nested request parameters without checking the user's taxonomy membership. An authenticated user with host-edit permissions can supply a foreign organization ID in nested parameters to scope AJAX queries to a tenant they do not belong to, leaking infrastructure metadata such as domains, subnets, and IP availability.

@pr-processor pr-processor Bot added Not yet reviewed Stable branch PRs that are opened against a stable branch. Usually a cherry pick labels Jul 1, 2026
@ogajduse ogajduse force-pushed the cve-2026-5138/3.19-stable branch from 9264d08 to 4dca51a Compare July 1, 2026 16:09
@ogajduse ogajduse merged commit 92b8705 into theforeman:3.19-stable Jul 1, 2026
22 of 23 checks passed
@ogajduse ogajduse deleted the cve-2026-5138/3.19-stable branch July 1, 2026 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Stable branch PRs that are opened against a stable branch. Usually a cherry pick

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants