CVE-2026-11807
- EPSS 0.37%
- Veröffentlicht 23.06.2026 19:40:33
- Zuletzt bearbeitet 27.06.2026 05:16:41
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged mess...
CVE-2026-12398
- EPSS 0.89%
- Veröffentlicht 16.06.2026 14:52:06
- Zuletzt bearbeitet 29.06.2026 18:16:36
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. A...
CVE-2026-44188
- EPSS 0.28%
- Veröffentlicht 15.06.2026 08:36:06
- Zuletzt bearbeitet 15.06.2026 21:09:52
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authoriz...
CVE-2026-11332
- EPSS 0.16%
- Veröffentlicht 05.06.2026 08:21:43
- Zuletzt bearbeitet 30.06.2026 03:17:08
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrar...
CVE-2026-6266
- EPSS 0.4%
- Veröffentlicht 04.05.2026 14:16:35
- Zuletzt bearbeitet 30.06.2026 03:21:11
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This ...
CVE-2025-57847
- EPSS 0.15%
- Veröffentlicht 08.04.2026 13:55:00
- Zuletzt bearbeitet 01.05.2026 20:19:48
A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who ...
CVE-2025-9909
- EPSS 0.17%
- Veröffentlicht 27.02.2026 07:30:00
- Zuletzt bearbeitet 25.03.2026 20:18:06
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or social...
CVE-2025-9908
- EPSS 0.2%
- Veröffentlicht 27.02.2026 07:29:32
- Zuletzt bearbeitet 25.03.2026 20:19:13
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*)...
CVE-2025-9907
- EPSS 0.17%
- Veröffentlicht 27.02.2026 07:29:06
- Zuletzt bearbeitet 26.03.2026 16:56:31
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event ...
CVE-2025-14025
- EPSS 0.39%
- Veröffentlicht 08.01.2026 13:44:04
- Zuletzt bearbeitet 15.04.2026 00:35:42
A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on ba...