Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
AnalysisAI
Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.
Technical ContextAI
This vulnerability affects the AAP (Ansible Automation Platform) gateway component in version 2.6 for RHEL 9, specifically the user auto-link strategy for federated authentication. The flaw represents CWE-305 (Authentication Bypass by Primary Weakness), where the system automatically links external Identity Provider identities to local user accounts using email as the sole matching criterion without implementing email ownership verification challenges. In federated identity systems, proper account linking should require cryptographic proof or verified email ownership to prevent account takeover. The vulnerability allows attackers to exploit the trust relationship between AAP and external IDPs by registering IDP accounts with victim email addresses that they do not actually control, then authenticating through the IDP to automatically link to and gain access to the victim's AAP account. This affects organizations using SAML, OAuth, or other external authentication providers with AAP 2.6.
RemediationAI
Apply Red Hat Security Advisory RHSA-2026:13508 immediately, available at https://access.redhat.com/errata/RHSA-2026:13508, which provides the patched version that implements email ownership verification in the auto-link process. Until patching is complete, disable the user auto-link feature in AAP 2.6 gateway configuration if this functionality is not operationally required; this prevents automatic account linking but requires manual user provisioning and may disrupt federated authentication workflows for new users. For organizations that must maintain auto-link functionality pre-patch, implement strict IDP-side controls including verified email domain restrictions, multi-factor authentication requirements for all IDP accounts, and monitoring for suspicious account linking events in AAP audit logs, though these compensating controls do not fully mitigate the vulnerability since the email verification failure exists in AAP itself. Review existing account linkages established since AAP 2.6 deployment for anomalous patterns such as administrative accounts linked to recently created IDP identities or multiple account links from single IDP accounts.
Same weakness CWE-305 – Authentication Bypass by Primary Weakness
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26967