Foreman allows SSL connection to be forced by setting require_ssl to true in settings.yaml. The enforcement is implemented in app/controllers/application_controller.rb as shown below:

def require_ssl
  # if SSL is not configured, don't bother forcing it.
  return true unless SETTINGS[:require_ssl]
  # don't force SSL on localhost
  return true if request.host=~/localhost|127.0.0.1/
  # finally - redirect
  redirect_to :protocol => 'https' and return if request.protocol != 'https://' and not request.ssl?
end

SSL connection is not forced when request comes with header Host matching /localhost|127.0.0.1/ This header can be spoofed and thus bypass the check:

$ nc 192.168.100.2 3000 <<EOF
GET / HTTP/1.1
Host: 127.0.0.1
EOF
HTTP/1.1 302 Found 
Location: http://127.0.0.1/users/login
...

$ ip route get 192.168.100.2
192.168.100.2 dev virbr1  src 192.168.100.1 

There are two possible solutions:
a) implement the check to rely on IP address:

return true if request.remote_ip == "127.0.0.1"

b) if not necessary remove the localhost exception altogether

Thanks to Jan Rusnacko of Red Hat Product Security for reporting the issue to us at foreman-security@googlegroups.com. We're treating this as security hardening rather than a CVE.