Red Hat Ansible Automation Platform Developer
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Ansible Automation Platform Developer.
By the Year
In 2026 there have been 0 vulnerabilities in Red Hat Ansible Automation Platform Developer. Last year, in 2025 Ansible Automation Platform Developer had 5 security vulnerabilities published. Right now, Ansible Automation Platform Developer is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 5 | 6.76 |
| 2024 | 10 | 6.18 |
| 2023 | 5 | 6.66 |
It may take a day or so for new Ansible Automation Platform Developer vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Ansible Automation Platform Developer Security Vulnerabilities
Ansible AAP Gateway CSRF Vulnerability (CVE-2025-5988)
CVE-2025-5988
5.3 - Medium
- August 04, 2025
A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.
Session Riding
AAP: Clear Text Client Secret Exposure in Gateway API
CVE-2025-7738
4.4 - Medium
- July 31, 2025
A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited to privileged users, the clear text exposure of sensitive credentials increases the risk of accidental leaks or misuse.
Cleartext Storage of Sensitive Information
Ansible EDA Git ls-remote Injection Enables Command Exec
CVE-2025-49520
8.8 - High
- June 30, 2025
A flaw was found in Ansible Automation Platforms EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
Argument Injection
Authenticated RCE via Jinja2 Injection in Ansible Automation Platform EDA
CVE-2025-49521
8.8 - High
- June 30, 2025
A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.
Code Injection
Ansible Event-Driven Exposes Inventory Passwords in Debug Mode
CVE-2025-2877
6.5 - Medium
- March 28, 2025
A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.
Debug Messages Revealing Unnecessary Information
Ansible Automation Platform OAuth2 Token Privilege Escalation Vulnerability
CVE-2024-11483
5 - Medium
- November 25, 2024
A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the users assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services.
Authorization
Ansible-Core Unsafe Content Protection Bypass via Hostvars Object
CVE-2024-11079
5.5 - Medium
- November 12, 2024
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
Improper Input Validation
Ansible User Module Privilege Escalation
CVE-2024-9902
6.3 - Medium
- November 06, 2024
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
AuthZ
CrossSite Scripting (XSS) in aapgateway 'next' redirect flaw
CVE-2024-10033
6.1 - Medium
- October 16, 2024
A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.
XSS
Ansible include_vars leak: Vault secrets exposed in logs
CVE-2024-8775
5.5 - Medium
- September 14, 2024
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
Insertion of Sensitive Information into Log File
Ansible Automation Controller Improper Auth via k8s ServiceAccount Token
CVE-2024-6840
6.6 - Medium
- September 12, 2024
An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
AuthZ
Pulp RBAC flaw causes improper perms via AutoAddObjPermsMixin (CVE-2024-7143)
CVE-2024-7143
- August 07, 2024
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Insecure Inherited Permissions
Ansible: Insecure WebSocket Leak Rulebook Data (CVE-2024-1657)
CVE-2024-1657
8.1 - High
- April 25, 2024
A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.
1385
Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394
7.5 - High
- March 21, 2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Memory Leak
Ansible Core Info Disclosure via ANSIBLE_NO_LOG Ignored
CVE-2024-0690
5 - Medium
- February 06, 2024
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
Improper Output Neutralization for Logs
Ansible Automation Path Traversal via Malicious Role
CVE-2023-5115
6.3 - Medium
- December 18, 2023
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
Absolute Path Traversal
Ansible: Template Injection via Unsafe Flag Removal in Controller (Jinja2)
CVE-2023-5764
7.1 - High
- December 12, 2023
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.
1336
Ansible Path Traversal (Galaxy Importer) Symlink Drop
CVE-2023-5189
6.3 - Medium
- November 14, 2023
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.
Relative Path Traversal
Plaintext Credential Logging in Ansible Automation Platform
CVE-2023-4380
6.3 - Medium
- October 04, 2023
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
Insertion of Sensitive Information into Log File
HTML Injection in UI Settings Controller Enables Credential Theft
CVE-2023-3971
7.3 - High
- October 04, 2023
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
Basic XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Ansible Automation Platform Developer or by Red Hat? Click the Watch button to subscribe.
