Credentials Theft via Double-Slash Gateway Path in Ansible Automation Platform
CVE-2025-9909 Published on February 27, 2026
Aap-gateway: improper path validation in gateway allows credential exfiltration
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or socially engineered administrator can configure a honey-pot route to intercept and exfiltrate user credentials, potentially maintaining persistent access or creating a backdoor even after their permissions are revoked.
Vulnerability Analysis
CVE-2025-9909 can be exploited with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 14 days later.
Weakness Type
Use of Non-Canonical URL Paths for Authorization Decisions
The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Products Associated with CVE-2025-9909
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
Red Hat Ansible Automation Platform 2.5 for RHEL 8:- Version 0:3.1.1-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.2-1.1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:0.1.4-1.el8ap and below * is unaffected.
- Version 0:2.5.20251210-1.el8ap and below * is unaffected.
- Version 0:4.10.10-1.el8ap and below * is unaffected.
- Version 0:2.13.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:0.4.0-1.el8ap and below * is unaffected.
- Version 0:4.2.26-1.el8ap and below * is unaffected.
- Version 0:2.1.2-1.el8ap and below * is unaffected.
- Version 0:0.4.36-2.el8ap and below * is unaffected.
- Version 0:4.10.10-1.el8ap and below * is unaffected.
- Version 0:23.0.0-1.el8ap and below * is unaffected.
- Version 0:1.6.0-1.el8ap and below * is unaffected.
- Version 0:9.0.1-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:3.8.0-1.el8ap and below * is unaffected.
- Version 0:0.2.15-1.el8ap and below * is unaffected.
- Version 0:0.4.2-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.2.el8ap and below * is unaffected.
- Version 0:4.15.0-1.el8ap and below * is unaffected.
- Version 0:3.1.1-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.2-1.1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:0.1.4-1.el9ap and below * is unaffected.
- Version 0:2.5.20251210-1.el9ap and below * is unaffected.
- Version 0:4.10.10-1.el9ap and below * is unaffected.
- Version 0:2.13.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:0.4.0-1.el9ap and below * is unaffected.
- Version 0:4.2.26-1.el9ap and below * is unaffected.
- Version 0:2.1.2-1.el9ap and below * is unaffected.
- Version 0:0.4.36-2.el9ap and below * is unaffected.
- Version 0:4.10.10-1.el9ap and below * is unaffected.
- Version 0:23.0.0-1.el9ap and below * is unaffected.
- Version 0:1.6.0-1.el9ap and below * is unaffected.
- Version 0:9.0.1-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:3.8.0-1.el9ap and below * is unaffected.
- Version 0:0.2.15-1.el9ap and below * is unaffected.
- Version 0:0.4.2-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.2.el9ap and below * is unaffected.
- Version 0:4.15.0-1.el9ap and below * is unaffected.
- Version 0:2.6.20251119-1.el9ap and below * is unaffected.
- Version sha256:93b5d66f1fa8a3241d999df47c8430c13fa11b751b5fc3d4a8fd2a39d282b3fd and below * is unaffected.
- Version sha256:d6bd83a65b6a0ca9cead0652736c51dd1ab02fc8d9ee2a5c19e413a5239c0cb7 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.