CVE-2025-9908 PUBLISHED

Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams

Assigner: redhat
Reserved: 03.09.2025 Published: 27.02.2026 Updated: 27.02.2026

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 6.7

Product Status

Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:3.1.1-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.2-1.1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:0.1.4-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:1.1.14-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:4.10.10-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:2.13.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:0.4.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:4.2.26-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:2.1.2-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:0.4.36-2.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:4.10.10-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:23.0.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:1.6.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:9.0.1-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:3.8.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:0.2.15-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:0.4.2-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:25.12.0-1.2.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:4.15.0-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:3.1.1-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.2-1.1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:0.1.4-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:1.1.14-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:4.10.10-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:2.13.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:0.4.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:4.2.26-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:2.1.2-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:0.4.36-2.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:4.10.10-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:23.0.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:1.6.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:9.0.1-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:3.8.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:0.2.15-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:0.4.2-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:25.12.0-1.2.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:4.15.0-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6 for RHEL 9
Versions Default: affected
  • unaffected from 0:1.2.1-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5
Versions Default: affected
  • unaffected from sha256:07673470fb62db8bec12ec20b2500228c0c6d5108916dd936d91e10610b783d1 to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6
Versions Default: affected
  • unaffected from sha256:142125ce7f176ce4d9755f3124714bbfd8e10a687378988761d5451bd135ca76 to * (excl.)

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Credits

  • This issue was discovered by Elijah DeLee (Red Hat).

References

Problem Types

  • Exposure of Sensitive Information to an Unauthorized Actor CWE