AAP 2.6 IDP Auto-Link Email Matching Bypass Enables Hijack
CVE-2026-6266 Published on May 4, 2026

Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-6266 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

LOW

Timeline

2026-04-14

Reported to Red Hat.

2026-05-04

Made public. 20 days later.

Weakness Type

Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Products Associated with CVE-2026-6266

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Ansible Automation Platform

Red Hat Ansible Automation Platform Developer

Red Hat Ansible Automation Platform Inside

Affected Versions

Red Hat Ansible Automation Platform 2.5 for RHEL 8:

Version 0:4.6.28-3.el8ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.5 for RHEL 8:

Version 0:2.5.20260422-2.el8ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.5 for RHEL 8:

Version 0:2.5.20260422-2.el8ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.5 for RHEL 9:

Version 0:4.6.28-3.el9ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.5 for RHEL 9:

Version 0:2.5.20260422-2.el9ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.5 for RHEL 9:

Version 0:2.5.20260422-2.el9ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.6 for RHEL 9:

Version 0:4.7.11-2.el9ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.6 for RHEL 9:

Version 0:2.6.20260422-1.el9ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.6 for RHEL 9:

Version 0:2.6.20260422-1.el9ap and below * is unaffected.

Red Hat Ansible Automation Platform 2.6:

Version 1777377014 and below * is unaffected.

Red Hat Ansible Automation Platform 2.6:

Version 1777311120 and below * is unaffected.

AAP 2.6 IDP Auto-Link Email Matching Bypass Enables HijackCVE-2026-6266 Published on May 4, 2026

Vulnerability Analysis

Timeline

Weakness Type

Authentication Bypass by Primary Weakness

Products Associated with CVE-2026-6266

Affected Versions

AAP 2.6 IDP Auto-Link Email Matching Bypass Enables Hijack
CVE-2026-6266 Published on May 4, 2026