Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
Foreman GraphQL API Allows Low-Privileged Users to Access Sensitive Metadata
CVE-2025-9572
Summary
Foreman's GraphQL API has a bug that lets users with limited permissions see extra information they shouldn't be able to access. This could potentially allow them to see confidential data. To fix this, update to the latest version of Foreman or apply a patch as soon as possible.
Original title
n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the Gr...
Original description
n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass.
nvd CVSS3.1
5.0
Vulnerability type
CWE-200
Information Exposure
- https://access.redhat.com/errata/RHSA-2025:21886
- https://access.redhat.com/errata/RHSA-2025:21893
- https://access.redhat.com/errata/RHSA-2025:21894
- https://access.redhat.com/errata/RHSA-2025:21897
- https://access.redhat.com/security/cve/CVE-2025-9572
- https://bugzilla.redhat.com/show_bug.cgi?id=2391715
- https://theforeman.org/security.html#2025-9572
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026