5.3
CVE-2026-44188
- EPSS 0.28%
- Veröffentlicht 15.06.2026 08:36:06
- Zuletzt bearbeitet 15.06.2026 21:09:52
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2.7
Default Statusaffected
Version
1781025813
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.199 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-613 Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
https://access.redhat.com/errata/RHSA-2026:25928
https://access.redhat.com/security/cve/CVE-2026-44188
https://bugzilla.redhat.com/show_bug.cgi?id=2466764