oss-sec mailing list archives
CVE-2026-1961: Foreman: Remote Code Execution via command injection in WebSocket proxy
From: Ondrej Gajdusek <ogajduse () redhat com>
Date: Fri, 27 Mar 2026 12:33:16 +0100
Hi, A security vulnerability has been fixed in Foreman, an open-source infrastructure lifecycle management tool. CVE-2026-1961: Remote Code Execution via command injection in WebSocket proxy A command injection vulnerability was discovered in Foreman's WebSocket proxy implementation. The vulnerability occurs when constructing shell commands using unsanitized hostname values from compute resource providers (such as VMware vSphere, Libvirt, etc.). An attacker operating a malicious compute resource server can achieve remote code execution on the Foreman server when an administrator accesses VM console functionality through the normal workflow. Affected versions: Foreman up to and including 3.18.0 CVSS v3.1 Score: 8.0 (High) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Fixed in: Foreman 3.18.1, Foreman 3.17.2, Foreman 3.16.3 Credit: Houssam Sahli References: - Foreman security page: https://theforeman.org/security.html#2026-1961 - Redmine issue: https://projects.theforeman.org/issues/39121 - GitHub PR: https://github.com/theforeman/foreman/pull/10921 Thanks, Ondrej Gajdusek Foreman Project
Current thread:
- CVE-2026-1961: Foreman: Remote Code Execution via command injection in WebSocket proxy Ondrej Gajdusek (Mar 27)
