CVE-2025-9908

Medium CVSS: 6.7

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

Vendor

Redhat

Product

Ansible Automation Platform

CWE

CWE-200

Yayın Tarihi

2026-02-27 08:17:07

Güncelleme

2026-03-25 20:19:13

Source Identifier

secalert@redhat.com

KEV Date Added

Kategoriler

CWE-200 Ansible Automation Platform MEDIUM Redhat 2026

Referanslar

https://access.redhat.com/errata/RHSA-2025:19201 https://access.redhat.com/errata/RHSA-2025:19221 https://access.redhat.com/errata/RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23131 https://access.redhat.com/security/cve/CVE-2025-9908 https://bugzilla.redhat.com/show_bug.cgi?id=2392835

Benzer Kayıtlar

High

CVE-2026-28369

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more…

High

CVE-2026-28368

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where…

Medium

CVE-2026-3121

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where thi…

Medium

CVE-2026-3190

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to…

Low

CVE-2026-4874

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating t…

Low

CVE-2026-4633

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login…