Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the toolsetroute parameter. This parameter is not properly sanitized before being written to logs, allowing the attacker to inject control characters such as newlines and ANSI escape sequences. This enables the attacker to obscure legitimate log entries and insert forged ones, which could facilitate social engineering attacks, potentially leading to an operator executing dangerous commands or visiting malicious URLs.
AnalysisAI
Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the toolsetroute parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability resides in the AAP MCP (Model Control Plane) server's request handling logic, specifically where the toolsetroute parameter is processed and logged. The root cause is insufficient input sanitization before log output (CWE-117: Improper Output Neutralization for Logs), a class of injection flaw distinct from code injection but equally dangerous in audit-trail integrity contexts. The MCP server processes HTTP requests containing user-supplied parameters that are directly concatenated into log messages without escaping special characters. An attacker can embed newline characters (\n) to create fake log lines and ANSI escape sequence codes (e.g., \x1b[0m, color codes) to visually manipulate terminal output, causing legitimate entries to appear forged or deleted. This affects Red Hat Ansible Automation Platform 2, a widely deployed enterprise automation framework that uses the MCP server as a communication hub between control nodes and managed systems.
RemediationAI
Apply the vendor-released security patch for Red Hat Ansible Automation Platform 2 as documented in the Red Hat Security Advisory (https://access.redhat.com/security/cve/CVE-2026-6494). The patch addresses the toolsetroute parameter handling in the MCP server by implementing proper input sanitization and log output neutralization (stripping or escaping control characters and ANSI sequences before writing to logs). Exact patched version numbers should be obtained from the advisory. As an interim compensating control, restrict network access to the MCP server port (typically TCP 443 or 8444, depending on deployment) using firewall rules or network policies, limiting exposure to trusted control networks only; this does not eliminate the vulnerability but reduces the attack surface. Additionally, enable log monitoring with strict parsing rules that alert on unexpected newlines or ANSI sequences within parameter fields, and implement out-of-band log integrity verification (e.g., centralized syslog with cryptographic signing) to detect forged entries. Note that these controls add operational overhead and do not prevent the injection itself; patching is the definitive fix.
Same weakness CWE-117 – Improper Output Neutralization for Logs
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23400
GHSA-c63q-7gvc-8xq3