CVE-2026-12112

Summary

A flaw was found in the foreman-mcp-server. A session management vulnerability in the MCP Server allows unauthenticated attackers to hijack active administrative sessions due to an improper cache of authenticated client connections, by trusting a non-secret session ID without re-validating authentication tokens and by logging all newly created session IDs to standard logs. This issue can result in privilege escalation and infrastructure-wide code execution.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Satellite 6.191782228692 < *unaffected

Weaknesses

  • CWE-287: Improper Authentication

Workarounds

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

foreman-mcp-server: MCP Server: Active Session Hijacking via Insecure Session State Reuse

Additional References

References