Skip to main content

Ansible Automation Platform CVE-2026-6266

| EUVDEUVD-2026-26967 HIGH
Authentication Bypass by Primary Weakness (CWE-305)
2026-05-04 redhat
8.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 14:30 vuln.today
EUVD ID Assigned
May 04, 2026 - 14:15 euvd
EUVD-2026-26967
Analysis Generated
May 04, 2026 - 14:15 vuln.today
CVE Published
May 04, 2026 - 13:47 nvd
HIGH 8.3

DescriptionCVE.org

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

AnalysisAI

Authentication bypass in Red Hat Ansible Automation Platform 2.6 allows authenticated attackers to hijack arbitrary user accounts, including administrator accounts, via email-based identity provider linking manipulation. The AAP gateway's user auto-link feature matches external IDP identities to existing accounts by email without ownership verification, enabling account takeover when an attacker controls an IDP account with a victim's email address. Red Hat has released patch RHSA-2026:13508. EPSS and KEV data not provided, but the low attack complexity (AC:L) and high confidentiality/integrity impact make this a critical authentication control failure requiring immediate remediation in environments using external identity providers.

Technical ContextAI

This vulnerability affects the AAP (Ansible Automation Platform) gateway component in version 2.6 for RHEL 9, specifically the user auto-link strategy for federated authentication. The flaw represents CWE-305 (Authentication Bypass by Primary Weakness), where the system automatically links external Identity Provider identities to local user accounts using email as the sole matching criterion without implementing email ownership verification challenges. In federated identity systems, proper account linking should require cryptographic proof or verified email ownership to prevent account takeover. The vulnerability allows attackers to exploit the trust relationship between AAP and external IDPs by registering IDP accounts with victim email addresses that they do not actually control, then authenticating through the IDP to automatically link to and gain access to the victim's AAP account. This affects organizations using SAML, OAuth, or other external authentication providers with AAP 2.6.

RemediationAI

Apply Red Hat Security Advisory RHSA-2026:13508 immediately, available at https://access.redhat.com/errata/RHSA-2026:13508, which provides the patched version that implements email ownership verification in the auto-link process. Until patching is complete, disable the user auto-link feature in AAP 2.6 gateway configuration if this functionality is not operationally required; this prevents automatic account linking but requires manual user provisioning and may disrupt federated authentication workflows for new users. For organizations that must maintain auto-link functionality pre-patch, implement strict IDP-side controls including verified email domain restrictions, multi-factor authentication requirements for all IDP accounts, and monitoring for suspicious account linking events in AAP audit logs, though these compensating controls do not fully mitigate the vulnerability since the email verification failure exists in AAP itself. Review existing account linkages established since AAP 2.6 deployment for anomalous patterns such as administrative accounts linked to recently created IDP identities or multiple account links from single IDP accounts.

Vendor StatusVendor

Share

CVE-2026-6266 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy