CVE-2026-12515

CVE-2026-12515 is a medium-severity vulnerability with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.

Key facts

Description

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.

Frequently asked questions

What is CVE-2026-12515?
A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the edit_products permission to query content information for repositories outside the products they were authorized to manage. An authenticated attacker could exploit this issue to determine whether specific content exists within repositories that should otherwise be inaccessible. This issue does not allow unauthorized modification, import, or publication of content.
How severe is CVE-2026-12515?
CVE-2026-12515 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-12515 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (10th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-12515?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-12515 have an EU (EUVD) identifier?
Yes. CVE-2026-12515 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37746.
When was CVE-2026-12515 published?
CVE-2026-12515 was published on 2026-06-17 and last updated on 2026-06-26.

References

Other CWE-862 (Missing Authorization) vulnerabilities

Browse all CWE-862 (Missing Authorization) vulnerabilities →