RedHat AAP Gateway: Envoy Proxy Subject header bypass via non-mTLS route
CVE-2026-12382 Published on July 15, 2026

Aap-gateway: missing requestheaderstoremove allows mtls bypass via subject header spoofing
A flaw was found in the AAP Gateway Envoy proxy configuration. The non-mTLS route to EDA event streams does not remove the Subject HTTP header from client requests, despite the source code defining requestHeadersToRemove for this header. An unauthenticated remote attacker can inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.

NVD

Vulnerability Analysis

CVE-2026-12382 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
HIGH
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 29 days later.

Weakness Type

Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.


Products Associated with CVE-2026-12382

Want to know whenever a new CVE is published for Red Hat Ansible Automation Platform? stack.watch will email you.

 

Affected Versions

Red Hat Ansible Automation Platform 2: Red Hat Ansible Automation Platform 2: