Insufficient Session Expiration in Ansible Lightspeed by Red Hat
CVE-2026-44188

5.3MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Ansible Automation Platform 2.7
Red Hat Ansible Automation Platform 2
Vendor
CVE Published:
15 June 2026

What is CVE-2026-44188?

A flaw in Ansible Lightspeed allows remote attackers to maintain persistent access to the system by exploiting insufficient session expiration. When a valid OAuth access token is exfiltrated before a user logs out, the application fails to invalidate the token on the backend. This oversight grants attackers continued access to sensitive resources including inventories, playbooks, and configuration data until the token naturally expires, leading to potential unauthorized data exposure.

Affected Version(s)

Red Hat Ansible Automation Platform 2.7 1781025813

References

https://access.redhat.com/errata/RHSA-2026:25928
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-44188
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2466764
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Laura Pardo (Red Hat Inc.).
.