← Back

CVE-2025-9908

nvd nist
Published: Feb 27, 2026Modified: Mar 25, 2026

JSON object

Loading...
6.7
Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.8 / Impact: 5.9
Source: secalert@redhat.com

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

Affected (5)

Redhat
3 products
Ansible Automation Platform
Ansible Developer
Ansible Inside
Configuration A
5 vulnerable · 2 platform
Vulnerable SoftwareAffected Versions
Ansible Automation Platform
Before 2.6
Redhat
Ansible Developer
Version 1.2
Ansible Developer
Version 1.3
Redhat
Ansible Inside
Version 1.3
Ansible Inside
Version 1.4
Running on/withPlatform Versions
Redhat
Enterprise Linux
Version 8.0
Redhat
Enterprise Linux
Version 9.0

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Issue TrackingVendor Advisory

Timeline

No history available yet.