Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server.
redhat spacewalk 2.6
redhat satellite 5.0