CVE-2025-14025: AAP OAuth2 Token Escalation to Write Ops
CVE-2025-14025 Published on January 8, 2026
Ansible-automation-platform/aap-gateway: aap-gateway: read-only personal access token (pat) bypasses write restrictions
A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attackers capabilities would only be limited by role based access controls (RBAC).
Vulnerability Analysis
CVE-2025-14025 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Incorrect Execution-Assigned Permissions
While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
Products Associated with CVE-2025-14025
Want to know whenever a new CVE is published for Red Hat Ansible Automation Platform? stack.watch will email you.
Affected Versions
Red Hat Ansible Automation Platform 2.5 for RHEL 8:- Version 0:2.5.20260106-1.el8ap and below * is unaffected.
- Version 0:2.5.20260106-1.el9ap and below * is unaffected.
- Version 0:2.6.20260106-1.el9ap and below * is unaffected.
- Version sha256:2df290b61d7aac08deec2973d0a9b98788f6b619e974af0b3f4b61c759c7e464 and below * is unaffected.
- Version sha256:766c7570afc4e9b163a3256a0d7c699327905c1d24213229acb0b96a9e65b615 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.