VDB
CVE-2025-14025
CVE-2025-14025
PUBLISHED
CVSS 8.5 HIGH
A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).
EPSS 0.02% · 5.8th percentile
Risk Scores
CVSS v3.1
8.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.02%
5.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Ansible Automation Platform 2.5 | sha256:2df290b61d7aac08deec2973d0a9b98788f6b619e974af0b3f4b61c759c7e464 |
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 9 | 0:2.6.20260106-1.el9ap |
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 9 | 0:2.5.20260106-1.el9ap |
| Red Hat | Red Hat Ansible Automation Platform 2.6 | sha256:766c7570afc4e9b163a3256a0d7c699327905c1d24213229acb0b96a9e65b615 |
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 8 | 0:2.5.20260106-1.el8ap |
Timeline
- Dec 4, 2025 CVE ID Reserved
- Jan 8, 2026 CVE Published
- Jan 8, 2026 PoC Published
- Jan 8, 2026 PoC Published
- Jan 8, 2026 PoC Published
- Jan 8, 2026 PoC Published
- Jan 9, 2026 EPSS Score
- Jan 12, 2026 EPSS Score
- Jan 15, 2026 EPSS Score
- Jan 18, 2026 EPSS Score
- Jan 21, 2026 EPSS Score
- Jan 25, 2026 EPSS Score
References
- https://access.redhat.com/articles/7136004 url
- RHSA-2026:0360 vendor-advisory
- RHSA-2026:0361 vendor-advisory
- RHSA-2026:0408 vendor-advisory
- RHSA-2026:0409 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2025-14025 vdb
- RHBZ#2418785 issue
- https://nvd.nist.gov/vuln/detail/CVE-2025-14025 advisory