This is the final release in the 3.16 series. Foreman 3.16.3 addresses a critical security vulnerability:
CVE-2026-1961: Fixed remote code execution via command injection in the WebSocket proxy. The vulnerability allowed potential RCE when administrators accessed VM consoles through malicious compute resource
providers. The fix ensures websockify is executed without shell interpretation, eliminating the command injection vector.
All users of Foreman 3.16.x are strongly encouraged to upgrade to 3.16.3 immediately.
Packages may be found in the 3.16 directories on both deb.theforeman.org and yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for signing RPMs and tarballs has the following fingerprint:
4EF094BBD6C43ADA8E4190BD18357B59AD173208
The GPG key used for signing DEBs has the following fingerprint:
5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A.