CVE-2026-6266 PUBLISHED

Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking

Assigner: redhat
Reserved: 14.04.2026 Published: 04.05.2026 Updated: 05.05.2026

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 8.3

Product Status

Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:4.6.28-3.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:2.5.20260422-2.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:2.5.20260422-2.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:4.6.28-3.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:2.5.20260422-2.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:2.5.20260422-2.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6 for RHEL 9
Versions Default: affected
  • unaffected from 0:4.7.11-2.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6 for RHEL 9
Versions Default: affected
  • unaffected from 0:2.6.20260422-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6 for RHEL 9
Versions Default: affected
  • unaffected from 0:2.6.20260422-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6
Versions Default: affected
  • unaffected from 1777377014 to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6
Versions Default: affected
  • unaffected from 1777311120 to * (excl.)

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

  • This issue was discovered by Robin Bobbitt (Red Hat).

References

Problem Types

  • Authentication Bypass by Primary Weakness CWE