Improper Access Control in Ansible Lightspeed API by Red Hat
CVE-2026-0598

4.2MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Ansible Automation Platform 2.6
Red Hat Ansible Automation Platform 2
Vendor
CVE Published:
6 February 2026

What is CVE-2026-0598?

A security flaw has been discovered in the Ansible Lightspeed API, specifically affecting its conversation endpoints that manage AI chat interactions. The vulnerability arises from insufficient validation of conversation identifiers, allowing an attacker with legitimate credentials to access or manipulate conversations that belong to other users. This oversight compromises the confidentiality of sensitive conversation data and potentially enables unauthorized alterations to AI-generated outputs, posing a significant risk to user privacy and data security.

Affected Version(s)

Red Hat Ansible Automation Platform 2.6 1777387242

References

https://access.redhat.com/errata/RHSA-2026:13545
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-0598
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2427094
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Laura Pardo (RedHat) for reporting this issue.
.