Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Token exfiltration prerequisite justifies AC:H; PR:L reflects assumed low-level environmental access; read-only impact yields C:H/I:N/A:N.
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.
AnalysisAI
Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a remote attacker who has exfiltrated a valid access token to maintain persistent authenticated sessions even after the legitimate user has logged out. The backend fails to revoke the token server-side on logout, leaving it exploitable until natural expiration. Successful exploitation enables unauthorized read access to sensitive Ansible resources - including inventories, playbooks, and configuration data - with no public exploit or CISA KEV listing identified at time of analysis.
Technical ContextAI
CWE-613 (Insufficient Session Expiration) describes the root cause: the application's authorization server does not honor OAuth 2.0 token revocation upon user logout, violating RFC 7009. Ansible Lightspeed is an AI-powered assistant integrated into Red Hat Ansible Automation Platform (AAP). Per CPE data (cpe:2.3:a:red_hat:red_hat_ansible_automation_platform_2.7 and cpe:2.3:a:red_hat:red_hat_ansible_automation_platform_2), the affected products span AAP 2 and specifically AAP 2.7. OAuth access tokens are bearer credentials - whoever holds one is treated as authorized regardless of the originating session state. The missing server-side invalidation means that a token intercepted during an active session retains full read-authorized scope even after the session owner believes they have terminated their access.
RemediationAI
A vendor-released patch is available per Red Hat Security Advisory RHSA-2026:25928 (https://access.redhat.com/errata/RHSA-2026:25928); organizations should apply this update immediately. The advisory should be consulted for the specific patched package version. As a compensating control prior to patching, administrators should configure the shortest operationally acceptable OAuth token lifetime in the AAP identity provider settings to reduce the window of exposure - note this may require users to re-authenticate more frequently. Additionally, reviewing and rotating any OAuth tokens currently in use, and auditing access logs for anomalous post-logout authentication events, will help detect whether exfiltrated tokens are already being abused. Restricting access to Ansible Lightspeed endpoints at the network perimeter for non-authorized source IPs can reduce exposure surface, though this is not a substitute for patching.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36702
GHSA-r7cm-w9ch-cf3g