CVE-2026-6266

high

Red Hat

CVSS v3 Base Score

8.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Confidentiality

High

Integrity

High

Availability

Low

Published: May 4, 2026 (9 days ago)

Last Modified: May 4, 2026

Vendor: Red Hat

Fix Available: ✓ Yes

Source: REDHAT

Description

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

CWE

CWE-305

Affected Products

Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.6

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov

CVE-2026-6266

Vulnerability Report

Description

CWE

Affected Products

Fix Status

References