Foreman 3.17.2 addresses a critical security vulnerability:
CVE-2026-1961: Fixed remote code execution via command injection in the WebSocket proxy. The vulnerability allowed potential RCE when administrators accessed VM consoles through malicious compute resource providers. The fix ensures websockify is executed without shell interpretation, eliminating the command injection vector.
All users of Foreman 3.17.x are strongly encouraged to upgrade to 3.17.2 immediately.
Packages may be found in the 3.17 directories on both deb.theforeman.org and yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for signing RPMs and tarballs has the following fingerprint:
2C219CE8AC0A3BA2EDE8B652509E3BD3D6AB9AD1
The GPG key used for signing DEBs has the following fingerprint:
5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A.