← Back

CVE-2025-9907

nvd nist
Published: Feb 27, 2026Modified: Mar 26, 2026

JSON object

Loading...
6.7
Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.8 / Impact: 5.9
Source: secalert@redhat.com

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.

Affected (5)

Redhat
3 products
Ansible Automation Platform
Ansible Developer
Ansible Inside
Configuration A
5 vulnerable · 2 platform
Vulnerable SoftwareAffected Versions
Ansible Automation Platform
Before 2.6
Redhat
Ansible Developer
Version 1.2
Ansible Developer
Version 1.3
Redhat
Ansible Inside
Version 1.3
Ansible Inside
Version 1.4
Running on/withPlatform Versions
Redhat
Enterprise Linux
Version 8.0
Redhat
Enterprise Linux
Version 9.0

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Issue TrackingVendor Advisory

Timeline

No history available yet.