Skip to main content

Ansible Automation Platform CVE-2026-12382

HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-07-15 redhat
8.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network header spoofing (PR:N/AV:N/AC:L) yields arbitrary event injection so I:H; impact is injection not disclosure or downtime, so C:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 17:50 vuln.today
CVE Published
Jul 15, 2026 - 17:21 cve.org
HIGH 8.2

DescriptionCVE.org

A flaw was found in the AAP Gateway Envoy proxy configuration. The non-mTLS route to EDA event streams does not remove the Subject HTTP header from client requests, despite the source code defining requestHeadersToRemove for this header. An unauthenticated remote attacker can inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.

AnalysisAI

mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach AAP Gateway non-mTLS EDA route
Delivery
Obtain a valid client certificate DN
Exploit
Craft request with spoofed Subject header
Execution
Bypass Envoy mTLS identity check
Persist
Inject arbitrary events into EDA stream
Impact
Trigger unauthorized automation

Vulnerability AssessmentAI

Exploitation Exploitation requires that the AAP Gateway expose the non-mTLS route to EDA event streams - the specific misconfigured path where Envoy fails to remove the inbound Subject header; deployments that only serve EDA event streams over enforced mTLS are not exposed via this vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N, 8.2 High) indicates network-reachable, low-complexity, unauthenticated exploitation with high integrity impact and no availability impact - consistent with the description of arbitrary event injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker who can reach the AAP Gateway over the network and who has learned a valid client certificate's Distinguished Name sends an ordinary HTTP request to the non-mTLS EDA event-stream route with a forged Subject header set to that DN. Because Envoy does not strip the header on this route, the request is treated as an authenticated client, and the attacker injects arbitrary events into a protected EDA stream - potentially triggering unauthorized automation. …
Remediation No vendor-released patch version was identified in the available data; monitor and apply the fix listed on the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12382 (tracking bug https://bugzilla.redhat.com/show_bug.cgi?id=2489126) once a fixed AAP 2 release is published, as the root cause is a corrected Envoy requestHeadersToRemove configuration that strips the Subject header on the EDA route. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Red Hat Ansible Automation Platform instances with Event-Driven Ansible enabled (consult vendor advisories for affected versions) and immediately restrict network access to the Gateway Envoy proxy to only trusted and authenticated users via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy