CVE-2026-12515: Missing Authorization in Red Hat Red Hat Hardened Images
A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
AI Analysis
Technical Summary
The vulnerability CVE-2026-12515 affects Red Hat Satellite's Katello content upload functionality. Due to missing authorization checks in the ContentUploadsController, users granted the edit_products permission can query content information for repositories beyond their authorized products. This unauthorized information disclosure allows an attacker to confirm the presence of specific content in repositories they should not access. The issue is limited to information disclosure and does not allow unauthorized content modification or importation.
Potential Impact
An authenticated attacker with edit_products permission can gain unauthorized read access to content information in repositories outside their authorized scope. This leads to information disclosure about repository contents but does not enable modification, import, or publication of content. The confidentiality impact is limited, with no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-12515 for current remediation guidance. No official fix or workaround is currently documented. Until a patch is available, restrict edit_products permissions to trusted users only to minimize exposure.
CVE-2026-12515: Missing Authorization in Red Hat Red Hat Hardened Images
Description
A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
CVSS v3.1
Score 4.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-12515 affects Red Hat Satellite's Katello content upload functionality. Due to missing authorization checks in the ContentUploadsController, users granted the edit_products permission can query content information for repositories beyond their authorized products. This unauthorized information disclosure allows an attacker to confirm the presence of specific content in repositories they should not access. The issue is limited to information disclosure and does not allow unauthorized content modification or importation.
Potential Impact
An authenticated attacker with edit_products permission can gain unauthorized read access to content information in repositories outside their authorized scope. This leads to information disclosure about repository contents but does not enable modification, import, or publication of content. The confidentiality impact is limited, with no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-12515 for current remediation guidance. No official fix or workaround is currently documented. Until a patch is available, restrict edit_products permissions to trusted users only to minimize exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-17T12:39:00.644Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-12515","vendor":"Red Hat"}]
Threat ID: 6a32cb1b9f87a2db09260e2c
Added to database: 6/17/2026, 4:28:11 PM
Last enriched: 6/17/2026, 4:43:28 PM
Last updated: 6/17/2026, 6:47:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.