Description
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
Published: 2026-05-04
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was discovered in the AAP gateway that causes the auto‑link strategy to link external Identity Provider (IDP) identities to existing AAP user accounts solely on the basis of email matching, without verifying ownership. This allows a remote attacker to hijack a victim’s account or gain unauthorized access to other accounts, including administrative ones, by manipulating the email supplied by the IDP. The weakness corresponds to CWE‑305 and compromises confidentiality, integrity, and availability of user access control.

Affected Systems

All affected systems are Red Hat Ansible Automation Platform 2.6 deployments on RHEL 9 and RHEL 10. The listed CPE identifiers correspond to the standard, developer, and inside variants of this platform, indicating that the vulnerability applies to all 2.6 releases on those operating systems.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker controlling or spoofing the external IDP to supply a forged email address. Because the feature automatically trusts the email match, an attacker can hijack accounts without additional privileges, making the issue particularly dangerous for environments that rely on automated IDP integration.

Generated by OpenCVE AI on May 4, 2026 at 15:51 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the official Red Hat patch that resolves the auto‑link email verification flaw in Ansible Automation Platform 2.6.
  • Limit or disable auto‑linking for privileged accounts and accept only manually linked identities through the AAP UI or API.
  • Enable audit logging for IDP account linking events to detect and investigate unauthorized link attempts.

Generated by OpenCVE AI on May 4, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 04 May 2026 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:ansible_automation_platform:2.5::el8
cpe:/a:redhat:ansible_automation_platform:2.5::el9
cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
References

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
Title Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking
First Time appeared Redhat
Redhat ansible Automation Platform
Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside
Weaknesses CWE-305
CPEs cpe:/a:redhat:ansible_automation_platform:2.6::el10
cpe:/a:redhat:ansible_automation_platform:2.6::el9
cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
Vendors & Products Redhat
Redhat ansible Automation Platform
Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Redhat Ansible Automation Platform Ansible Automation Platform Developer Ansible Automation Platform Inside
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-04T20:56:54.266Z

Reserved: 2026-04-14T06:33:59.504Z

Link: CVE-2026-6266

cve-icon Vulnrichment

Updated: 2026-05-04T16:33:29.773Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-04T14:16:35.970

Modified: 2026-05-04T22:16:19.410

Link: CVE-2026-6266

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-04T13:35:24Z

Links: CVE-2026-6266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:00:04Z

Weaknesses