Foreman 3.18.1 addresses a critical security vulnerability:
CVE-2026-1961: Fixed remote code execution via command injection in the WebSocket proxy. The vulnerability allowed potential RCE when administrators accessed VM consoles through malicious compute resource providers. The fix ensures websockify is executed without shell interpretation, eliminating the command injection vector.
All users of Foreman 3.18.0 are strongly encouraged to upgrade to 3.18.1 immediately.
Packages may be found in the 3.18 directories on both deb.theforeman.org and yum.theforeman.org, and tarballs are on downloads.theforeman.org.
The GPG key used for signing RPMs and tarballs has the following fingerprint:
CAB7B75A67A3DE88F9F76C3728D5752EFF70B304
The GPG key used for signing DEBs has the following fingerprint:
5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A.