VDB
CVE-2026-6266
CVE-2026-6266
PUBLISHED
CVSS 8.300000190734863 HIGH
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
EPSS 0.04% · 12.6th percentile
Risk Scores
CVSS v3.1
8.300000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score
0.04%
12.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 9 | 0:4.7.11-2.el9ap |
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 9 | 0:2.6.20260422-1.el9ap |
| Red Hat | Red Hat Ansible Automation Platform 2.6 for RHEL 9 | 0:2.6.20260422-1.el9ap |
Timeline
- May 4, 2026 CVE Published
- May 4, 2026 PoC Published
- May 4, 2026 PoC Published
- May 4, 2026 PoC Published
- May 4, 2026 CVE Updated
- May 4, 2026 PoC Published
- May 4, 2026 Distribution Patch
- May 4, 2026 Security Advisory
- May 5, 2026 EPSS Score
- May 5, 2026 Distribution Patch
- May 5, 2026 Security Advisory
- May 5, 2026 Distribution Patch
References
- RHSA-2026:13508 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2026-6266 vdb
- RHBZ#2458142 issue