RedHat AAP Gateway: Envoy Proxy Subject header bypass via non-mTLS route
CVE-2026-12382 Published on July 15, 2026
Aap-gateway: missing requestheaderstoremove allows mtls bypass via subject header spoofing
A flaw was found in the AAP Gateway Envoy proxy configuration. The non-mTLS route to EDA event streams does not remove the Subject HTTP header from client requests, despite the source code defining requestHeadersToRemove for this header. An unauthenticated remote attacker can inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.
Vulnerability Analysis
CVE-2026-12382 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public. 29 days later.
Weakness Type
Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.
Products Associated with CVE-2026-12382
Want to know whenever a new CVE is published for Red Hat Ansible Automation Platform? stack.watch will email you.