Bug #39121
closed
CVE-2026-1961: Remote Code Execution via command injection in WebSocket proxy
Description
Summary: A critical command injection vulnerability exists in Foreman's WebSocket proxy implementation (lib/ws_proxy.rb). The vulnerability occurs when constructing shell commands using unsanitized hostname values from compute resource providers. An attacker operating a malicious compute resource server (VMware vSphere, Libvirt, etc.) can achieve remote code execution on the Foreman server when an administrator accesses VM console functionality.
Requirements to exploit: An attacker needs to operate a malicious compute resource server (such as a fake vSphere server) that returns poisoned hostname values. The Foreman administrator must then configure this malicious server as a compute resource and attempt to access the VM console through the normal workflow.
Updated by Ondřej Gajdušek about 1 month ago
- Target version changed from 3.18.0 to 3.19.0
Updated by Ondřej Gajdušek 18 days ago
- Subject changed from Remote Code Execution via command injection in WebSocket proxy to CVE-2026-1961: Remote Code Execution via command injection in WebSocket proxy
Updated by The Foreman Bot 15 days ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10921 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10922 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10923 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10924 added
Updated by Evgeni Golov 15 days ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|52b7c76a8ef45426def5ff7b6bb70ae377f00c29.