Skip to main content

Red Hat Ansible Automation Platform 2

7 CVEs product

Monthly

CVE-2026-12382 HIGH This Week

mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.

Authentication Bypass Red Hat Ansible Automation Platform 2
NVD
CVSS 3.1
8.2
CVE-2026-11807 CRITICAL PATCH Act Now

Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. No public exploit identified at time of analysis, but the low attack complexity and scope-changed CVSS of 9.6 make this a high-priority patch.

Hashicorp Authentication Bypass Red Hat Ansible Automation Platform 2 5 Red Hat Ansible Automation Platform 2 6 Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-12726 MEDIUM This Month

Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.

SSRF Red Hat Ansible Automation Platform 2 Red Hat
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-12398 PyPI HIGH GHSA This Week

Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). No public exploit identified at time of analysis.

Command Injection RCE Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2026-44188 MEDIUM PATCH This Month

Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a remote attacker who has exfiltrated a valid access token to maintain persistent authenticated sessions even after the legitimate user has logged out. The backend fails to revoke the token server-side on logout, leaving it exploitable until natural expiration. Successful exploitation enables unauthorized read access to sensitive Ansible resources - including inventories, playbooks, and configuration data - with no public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Red Hat Ansible Automation Platform 2 7 Red Hat Ansible Automation Platform 2 Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-52902 MEDIUM This Month

Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file via the AWX CLI. Affecting Red Hat Ansible Automation Platform 2, the vulnerability (CWE-22) allows an unauthenticated attacker who can deliver a malicious YAML file to a victim to read arbitrary YAML-formatted files from that user's local filesystem - including potentially sensitive configuration, credential, or key material files - without any write or execution capability. No public exploit identified at time of analysis; CVSS 4.7 reflects the real-world constraints of local attack vector, high complexity, and mandatory user interaction.

Path Traversal Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-57847 MEDIUM This Month

Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.

Privilege Escalation Red Hat Ansible Automation Platform 2
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVSS 8.2
HIGH This Week

mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.

Authentication Bypass Red Hat Ansible Automation Platform 2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. No public exploit identified at time of analysis, but the low attack complexity and scope-changed CVSS of 9.6 make this a high-priority patch.

Hashicorp Authentication Bypass Red Hat Ansible Automation Platform 2 5 +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.

SSRF Red Hat Ansible Automation Platform 2 Red Hat
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). No public exploit identified at time of analysis.

Command Injection RCE Red Hat Ansible Automation Platform 2
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a remote attacker who has exfiltrated a valid access token to maintain persistent authenticated sessions even after the legitimate user has logged out. The backend fails to revoke the token server-side on logout, leaving it exploitable until natural expiration. Successful exploitation enables unauthorized read access to sensitive Ansible resources - including inventories, playbooks, and configuration data - with no public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Red Hat Ansible Automation Platform 2 7 Red Hat Ansible Automation Platform 2 +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file via the AWX CLI. Affecting Red Hat Ansible Automation Platform 2, the vulnerability (CWE-22) allows an unauthenticated attacker who can deliver a malicious YAML file to a victim to read arbitrary YAML-formatted files from that user's local filesystem - including potentially sensitive configuration, credential, or key material files - without any write or execution capability. No public exploit identified at time of analysis; CVSS 4.7 reflects the real-world constraints of local attack vector, high complexity, and mandatory user interaction.

Path Traversal Red Hat Ansible Automation Platform 2
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.

Privilege Escalation Red Hat Ansible Automation Platform 2
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy