Description
A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
Published: 2026-02-06
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-User Data Exposure and Manipulation
Action: Patch ASAP
AI Analysis

Impact

The flaw in Ansible Lightspeed API conversation endpoints permits an authenticated user to probe conversation identifiers that do not belong to them; as a result the requester can read or alter other users’ AI chat sessions. The lack of proper object‑level authorization leads to a breach of confidentiality and the integrity of AI‑generated output. This weakness corresponds to CWE‑283.

Affected Systems

Affected product: Red Hat Ansible Automation Platform 2. No specific version range is listed in the CVE data. Systems running the platform in conjunction with the lightspeed API should be reviewed for potential exposure.

Risk and Exploitability

The CVSS base score of 4.2 indicates low overall severity, and an EPSS score of less than 1% shows that exploitation likelihood is very low at present. The vulnerability is not cataloged in KEV, and the attack vector requires valid credentials to the platform, so an attacker must first obtain legitimate login credentials or otherwise authenticate to the API. No public exploit is known, but the impact could be significant once a user attains access rights.

Generated by OpenCVE AI on April 17, 2026 at 22:54 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Ansible Automation Platform version that contains the authorization fix once it is released.
  • Restrict access to the lightspeed API by enforcing role‑based access control and least‑privilege principles, ensuring only authorized users can query conversation identifiers.
  • Audit and monitor API calls for anomalies, such as cross‑user conversation accesses, and review logs for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 06 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
Title Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-283
CPEs cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Ansible Automation Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-06T15:42:21.423Z

Reserved: 2026-01-05T07:35:27.017Z

Link: CVE-2026-0598

cve-icon Vulnrichment

Updated: 2026-02-06T15:41:40.197Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T06:15:49.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0598

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-06T00:00:00Z

Links: CVE-2026-0598 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses