Red Hat Ansible Automation Platform

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions
CVE-2026-0598 4.2 - Medium - February 06, 2026

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.

Unverified Ownership

A flaw was found in Ansible Automation Platform (AAP)
CVE-2025-14025 8.5 - High - January 08, 2026

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attackers capabilities would only be limited by role based access controls (RBAC).

Incorrect Execution-Assigned Permissions

Nx npm package tampering: FS scan and credential exfil to GitHub
CVE-2025-10894 9.6 - Critical - September 24, 2025

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Embedded Malicious Code

Ansible AAP Gateway CSRF Vulnerability (CVE-2025-5988)
CVE-2025-5988 5.3 - Medium - August 04, 2025

A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.

Session Riding

AAP: Clear Text Client Secret Exposure in Gateway API
CVE-2025-7738 4.4 - Medium - July 31, 2025

A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited to privileged users, the clear text exposure of sensitive credentials increases the risk of accidental leaks or misuse.

Cleartext Storage of Sensitive Information

Ansible Tower Cookie Misconfig: MitM & XSS via Unsecured Cookies
CVE-2025-53861 3.1 - Low - July 11, 2025

A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to read transmitted data.

Cleartext Transmission of Sensitive Information

Ansible API Unauthenticated Verbose Data Exposure
CVE-2025-53862 3.5 - Low - July 11, 2025

A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Authenticated RCE via Jinja2 Injection in Ansible Automation Platform EDA
CVE-2025-49521 8.8 - High - June 30, 2025

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

Code Injection

Ansible EDA Git ls-remote Injection Enables Command Exec
CVE-2025-49520 8.8 - High - June 30, 2025

A flaw was found in Ansible Automation Platforms EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

Argument Injection

MIT Kerberos GSSAPI Msg Spoof via RC4-HMAC-MD5 Coll
CVE-2025-3576 5.9 - Medium - April 15, 2025

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Reversible One-Way Hash

Ansible Event-Driven Exposes Inventory Passwords in Debug Mode
CVE-2025-2877 6.5 - Medium - March 28, 2025

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.

Debug Messages Revealing Unnecessary Information

Ansible AAP-Gateway grpc RCE: Race Condition Exposes Elevated JWT
CVE-2025-1801 8.1 - High - March 03, 2025

A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.

Race Condition

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

Ansible Automation Platform OAuth2 Token Privilege Escalation Vulnerability
CVE-2024-11483 5 - Medium - November 25, 2024

A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the users assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services.

Authorization

Ansible-Core Unsafe Content Protection Bypass via Hostvars Object
CVE-2024-11079 5.5 - Medium - November 12, 2024

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

Improper Input Validation

Ansible User Module Privilege Escalation
CVE-2024-9902 6.3 - Medium - November 06, 2024

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

AuthZ

CrossSite Scripting (XSS) in aapgateway 'next' redirect flaw
CVE-2024-10033 6.1 - Medium - October 16, 2024

A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.

XSS

Use-After-Free in PyO3 via weak ref unsound borrow
CVE-2024-9979 5.3 - Medium - October 15, 2024

A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.

Dangling pointer

Ansible AAP EDA Data Exfiltration via Unencrypted Transmission
CVE-2024-9620 5.3 - Medium - October 08, 2024

A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the plaintext data transmitted between the EDA and AAP. An attacker with system access could exploit this vulnerability by reading the plaintext data stored in EDA and AAP databases.

Cleartext Transmission of Sensitive Information

Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355 6.5 - Medium - October 01, 2024

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

Use of Uninitialized Variable

Ansible include_vars leak: Vault secrets exposed in logs
CVE-2024-8775 5.5 - Medium - September 14, 2024

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

Insertion of Sensitive Information into Log File

Ansible Automation Controller Improper Auth via k8s ServiceAccount Token
CVE-2024-6840 6.6 - Medium - September 12, 2024

An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.

AuthZ

Pulp RBAC flaw causes improper perms via AutoAddObjPermsMixin (CVE-2024-7143)
CVE-2024-7143 - August 07, 2024

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

Insecure Inherited Permissions

Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727 8.3 - High - May 14, 2024

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

Improper Validation of Integrity Check Value

Ansible: Insecure WebSocket Leak Rulebook Data (CVE-2024-1657)
CVE-2024-1657 8.1 - High - April 25, 2024

A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.

1385

Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394 7.5 - High - March 21, 2024

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Memory Leak

JWCrypto Library DoS via Computationally Intensive Brute-Force Capability
CVE-2023-6681 5.3 - Medium - February 12, 2024

A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

Resource Exhaustion

Ansible Core Info Disclosure via ANSIBLE_NO_LOG Ignored
CVE-2024-0690 5 - Medium - February 06, 2024

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

Improper Output Neutralization for Logs

python-cryptography: Remote Decryption of TLS RSA Exchanges
CVE-2023-50782 7.5 - High - February 05, 2024

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Observable Timing Discrepancy

Ansible Automation Path Traversal via Malicious Role
CVE-2023-5115 6.3 - Medium - December 18, 2023

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

Absolute Path Traversal

Ansible: Template Injection via Unsafe Flag Removal in Controller (Jinja2)
CVE-2023-5764 7.1 - High - December 12, 2023

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.

1336

Ansible Path Traversal (Galaxy Importer) Symlink Drop
CVE-2023-5189 6.3 - Medium - November 14, 2023

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.

Relative Path Traversal

HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

HTML Injection in UI Settings Controller Enables Credential Theft
CVE-2023-3971 7.3 - High - October 04, 2023

An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

Basic XSS

Plaintext Credential Logging in Ansible Automation Platform
CVE-2023-4380 6.3 - Medium - October 04, 2023

A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.

Insertion of Sensitive Information into Log File

Ansible Platform ec2_key Exposes PK via Stdout Logs
CVE-2023-4237 7.3 - High - October 04, 2023

A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Pulp Ansible Remote Token Plaintext Exposure via API
CVE-2022-3644 5.5 - Medium - October 25, 2022

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

Insufficiently Protected Credentials

Red Hat Ansible Automation Platform 1.2/2.0 UI XSS via project name
CVE-2022-3205 6.1 - Medium - September 13, 2022

Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection

XSS

OpenShift Improper Cert Validation via Re-encrypt Route Skipping TLS
CVE-2022-1632 6.5 - Medium - September 01, 2022

An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.

Improper Certificate Validation

Privilege Escalation in Ansible Automation Platform by Authenticated User
CVE-2022-2568 6.5 - Medium - August 18, 2022

A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with 'change user' permissions to modify the account settings of the superuser account and also remove the superuser privileges.

Improper Privilege Management

A flaw was found in Ansible Galaxy Collections
CVE-2021-3681 5.5 - Medium - April 18, 2022

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Insufficiently Protected Credentials

A flaw was found in Ansible, where a user's controller is vulnerable to template injection
CVE-2021-3583 7.1 - High - September 22, 2021

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

Code Injection

Rejected reason: This CVE is marked as INVALID and not a bug
CVE-2021-3532 - June 09, 2021

Rejected reason: This CVE is marked as INVALID and not a bug

Rejected reason: This vulnerability does not meet the criteria for a security vulnerability
CVE-2021-3533 - June 09, 2021

Rejected reason: This vulnerability does not meet the criteria for a security vulnerability

A flaw was found in the Ansible Engine 2.9.18
CVE-2021-20228 7.5 - High - April 29, 2021

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.

Information Disclosure