Cyber Resilience

CVE-2026-5136

High

Published: 01 July 2026

Published
01 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5136 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a…

more

user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-266

Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.

addresses: CWE-266

Regular reviews catch incorrect privilege assignments to users, roles, or processes.

addresses: CWE-266

Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.

addresses: CWE-266

The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.

addresses: CWE-266

Ensures privileges are assigned only as necessary rather than incorrectly over-granted.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248551 A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Oracle Linux 9 (1 rule)
  • V-271779 OL 9 must be configured so that a sticky bit must be set on all public directories. via CWE-266
RHEL 8 (1 rule)
  • V-230243 A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
RHEL 9 (1 rule)
  • V-257929 A sticky bit must be set on all RHEL 9 public directories. via CWE-266
Ubuntu 22.04 (2 rules)
  • V-260559 Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group. via CWE-266
  • V-260513 Ubuntu 22.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Ubuntu 24.04 (2 rules)
  • V-270748 Ubuntu 24.04 LTS must ensure only users who need access to security functions are part of sudo group. via CWE-266
  • V-270750 Ubuntu 24.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266

References