User Auto-Link Flaw in AAP Gateway by Red Hat
CVE-2026-6266

8.3HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Ansible Automation Platform 2.6 For Rhel 9
Vendor
CVE Published:
4 May 2026

What is CVE-2026-6266?

A significant security flaw exists in the AAP Gateway, specifically linked to the user auto-link strategy introduced in AAP version 2.6. This vulnerability allows an external Identity Provider (IDP) identity to be automatically linked to an existing AAP user account based solely on email matching. The critical aspect of this issue is the lack of verification of email ownership, which can enable a remote attacker to hijack a victim's AAP account. Such exploitation could lead to unauthorized access to not only user accounts but potentially administrative accounts as well, putting sensitive information and systems at risk.

Affected Version(s)

Red Hat Ansible Automation Platform 2.6 for RHEL 9 0:4.7.11-2.el9ap

Red Hat Ansible Automation Platform 2.6 for RHEL 9 0:2.6.20260422-1.el9ap

Red Hat Ansible Automation Platform 2.6 for RHEL 9 0:2.6.20260422-1.el9ap

References

https://access.redhat.com/errata/RHSA-2026:13508
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-6266
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2458142
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Robin Bobbitt (Red Hat).
.