Foreman WebSocket Proxy Command Injection Vulnerability (CVE-2026-1961)
A command injection vulnerability exists in Foreman's WebSocket proxy, enabling remote code execution on the Foreman server via a malicious compute resource server when a user accesses VM VNC console functionality.
CVE-2026-1961 identifies a critical command injection vulnerability within the Foreman application, specifically affecting the WebSocket proxy implementation. This flaw stems from the use of unsanitized hostname values obtained from compute resource providers during the construction of shell commands. An attacker who controls a malicious compute resource server can exploit this vulnerability to execute arbitrary code on the Foreman server. This is achieved when a user interacts with the VM VNC…
Detection coverage 2
Foreman Suspicious Process Execution via Command Injection
highDetects suspicious process execution originating from the Foreman process, indicative of command injection exploitation.
Foreman Websocket Proxy Handling Malicious Hostnames
mediumDetects suspicious websocket connections originating from the Foreman process where the hostname contains shell metacharacters
Detection queries are kept inside the platform. Get full rules →