Log Injection Vulnerability in AAP MCP Server by Red Hat
CVE-2026-6494

5.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Ansible Automation Platform 2
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-6494?

A flaw has been identified in the AAP MCP server, where an unauthenticated remote attacker is capable of exploiting a log injection vulnerability. By sending specially crafted input to the toolsetroute parameter, which lacks proper sanitization before logging, attackers can inject control characters like newlines and ANSI escape sequences. This exploitation can obscure legitimate log entries while allowing the insertion of forged ones. Such manipulations may facilitate social engineering attacks that could prompt operators into executing harmful commands or inadvertently visiting malicious URLs.

References

https://access.redhat.com/security/cve/CVE-2026-6494

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2459131

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

This issue was discovered by Melissa Ing, Oleg Sushchenko, Jon Weiser (Red Hat).

CVE-2026-6494 Data

JSON