PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6266 Red Hat CVE debrief

A flaw was found in the AAP gateway's user auto-link strategy, introduced in AAP 2.6. This strategy automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email. The CVSS score for this vulnerability is 8.3, indicating a high severity. The vulnerability was published on May 4, 2026, and last modified on June 30, 2026.

Vendor
Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 8
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-04
Original CVE updated
2026-06-30
Advisory published
2026-05-04
Advisory updated
2026-06-30

Who should care

Organizations using AAP 2.6 or later should be aware of this vulnerability and take steps to mitigate it. Specifically, administrators of AAP instances with external IDPs configured should verify their configurations and ensure that email ownership is properly verified before linking accounts. Additionally, users of AAP should be cautious of potential phishing attacks that could exploit this vulnerability.

Technical summary

The AAP gateway's user auto-link strategy, introduced in AAP 2.6, does not verify email ownership before linking an external IDP identity to an existing AAP user account. This allows an attacker to manipulate the IDP-provided email to potentially hijack a victim's account or gain unauthorized access to other accounts. The vulnerability has a CVSS score of 8.3 and is classified as high severity. The CWE associated with this vulnerability is CWE-305. The vulnerability was reported by Red Hat and is documented in their security advisories.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it allows for potential account hijacking and unauthorized access. Administrators should review their AAP configurations and ensure that email ownership is properly verified before linking accounts.

Recommended defensive actions

  • Review and update AAP configurations to ensure email ownership verification for external IDP identities.
  • Implement additional security measures, such as multi-factor authentication, to protect against potential account hijacking.
  • Monitor AAP instance logs for suspicious activity related to account linking.
  • Educate users on potential phishing attacks that could exploit this vulnerability.
  • Apply patches or updates provided by the vendor as soon as possible.

Evidence notes

The vulnerability was reported by Red Hat and is documented in their security advisories. The CVE record and NVD detail provide additional information on the vulnerability. The source item URL provides further details on the vulnerability, including its CVSS score and CWE classification.

Official resources

This article is AI-assisted and based on the supplied source corpus.