Skip to main content

Ansible Lightspeed CVE-2026-44188

| EUVDEUVD-2026-36702 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-06-15 redhat GHSA-r7cm-w9ch-cf3g
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Token exfiltration prerequisite justifies AC:H; PR:L reflects assumed low-level environmental access; read-only impact yields C:H/I:N/A:N.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 10:32 vuln.today

DescriptionNVD

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.

AnalysisAI

Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a remote attacker who has exfiltrated a valid access token to maintain persistent authenticated sessions even after the legitimate user has logged out. The backend fails to revoke the token server-side on logout, leaving it exploitable until natural expiration. Successful exploitation enables unauthorized read access to sensitive Ansible resources - including inventories, playbooks, and configuration data - with no public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

CWE-613 (Insufficient Session Expiration) describes the root cause: the application's authorization server does not honor OAuth 2.0 token revocation upon user logout, violating RFC 7009. Ansible Lightspeed is an AI-powered assistant integrated into Red Hat Ansible Automation Platform (AAP). Per CPE data (cpe:2.3:a:red_hat:red_hat_ansible_automation_platform_2.7 and cpe:2.3:a:red_hat:red_hat_ansible_automation_platform_2), the affected products span AAP 2 and specifically AAP 2.7. OAuth access tokens are bearer credentials - whoever holds one is treated as authorized regardless of the originating session state. The missing server-side invalidation means that a token intercepted during an active session retains full read-authorized scope even after the session owner believes they have terminated their access.

RemediationAI

A vendor-released patch is available per Red Hat Security Advisory RHSA-2026:25928 (https://access.redhat.com/errata/RHSA-2026:25928); organizations should apply this update immediately. The advisory should be consulted for the specific patched package version. As a compensating control prior to patching, administrators should configure the shortest operationally acceptable OAuth token lifetime in the AAP identity provider settings to reduce the window of exposure - note this may require users to re-authenticate more frequently. Additionally, reviewing and rotating any OAuth tokens currently in use, and auditing access logs for anomalous post-logout authentication events, will help detect whether exfiltrated tokens are already being abused. Restricting access to Ansible Lightspeed endpoints at the network perimeter for non-authorized source IPs can reduce exposure surface, though this is not a substitute for patching.

Vendor StatusVendor

Share

CVE-2026-44188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy