Description
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Ansible Lightspeed allows a remote attacker to hijack sessions by capturing a valid OAuth access token before the user logs out. Because the application does not invalidate the token on the backend, the token remains usable until its natural expiration, giving the attacker persistent authenticated access. This enables unauthorized reading of sensitive Ansible resources such as inventories, playbooks, and configuration data.

Affected Systems

The vulnerability affects Red Hat Ansible Automation Platform versions 2 and 2.7 for Enterprise Linux 9. Users running these releases are at risk until they apply the Red Hat update that addresses session expiration handling.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score is not available, and the issue is not listed in CISA's KEV catalog. A remote attacker who can exfiltrate an OAuth token before logout can maintain authenticated access, potentially exfiltrating protected data. The likelihood of exploitation depends on the presence of exposed tokens and whether users log out; however, once a token is obtained, the attacker can read any data accessible to that token for the remainder of its lifespan.

Generated by OpenCVE AI on June 15, 2026 at 11:20 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat Security Advisory RHSA‑2026:25928 to update Ansible Automation Platform to a version that includes the session expiration fix.
  • Immediately revoke any active OAuth tokens that may have been exposed before logout.
  • Enforce shorter session lifetimes or configure the platform to invalidate tokens upon logout.

Generated by OpenCVE AI on June 15, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 15 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.
Title Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-613
CPEs cpe:/a:redhat:ansible_automation_platform:2
cpe:/a:redhat:ansible_automation_platform:2.7::el9
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Redhat Ansible Automation Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-15T08:52:42.569Z

Reserved: 2026-05-05T15:02:54.443Z

Link: CVE-2026-44188

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T10:16:28.213

Modified: 2026-06-15T10:16:28.213

Link: CVE-2026-44188

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T08:08:37Z

Links: CVE-2026-44188 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T11:30:15Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration