Foreman fixes WebSocket proxy command injection leading to RCE
TL;DR — A malicious compute-resource provider can trigger command injection in Foreman’s VM-console workflow, leading to remote code execution on the Foreman server.
What happened
Foreman is an open-source infrastructure lifecycle management tool used to provision and manage hosts and integrate with virtualization/compute providers.
CVE-2026-1961 reports a command injection issue in Foreman’s WebSocket proxy implementation. Per the disclosure, the vulnerable code constructs shell commands using unsanitized hostname values sourced from compute resource providers (e.g., VMware vSphere, Libvirt). An attacker who controls or can impersonate a compute resource server can achieve remote code execution on the Foreman server when an administrator accesses VM console functionality through the normal UI workflow.
CVSS v3.1 is 8.0 (High). This is a classic trust-boundary failure: management-plane systems often treat “infrastructure provider” fields as trusted, but the integration surface is frequently reachable from less-trusted networks and third-party environments.
Who is impacted
- Foreman deployments up to and including
3.18.0. - Environments where Foreman is configured with external compute resource providers (e.g., vSphere/Libvirt) and admins use VM console features.
- Risk is highest when a compute resource endpoint can be made malicious or attacker-controlled (compromised virtualization management plane, rogue endpoint, misconfigured routing/DNS, or untrusted lab/provider integrations).
| Component | Affected versions (per advisory) | Fixed / patched (per advisory) |
|---|---|---|
Foreman | <= 3.18.0 | 3.18.1, 3.17.2, 3.16.3 |
What to do now
- Follow vendor remediation guidance and apply a fixed release.
"Fixed in: Foreman 3.18.1, Foreman 3.17.2, Foreman 3.16.3"
- Inventory where Foreman is integrated with compute resource providers and treat provider-supplied metadata (including hostnames) as untrusted input until patched.
- Review who can add/modify compute resource providers and who can access VM console functionality; reduce exposure where possible (least privilege for Foreman admin roles).
- If compromise is suspected, prioritize incident triage around VM console access activity and any unexpected process execution on the Foreman server (the exploit path is tied to the VM console workflow).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.