VYPR
Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 3, 2026

Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams

CVE-2025-9908

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

6
  • cpe:/a:redhat:ansible_automation_platform:2.5::el8+ 4 more
    • cpe:/a:redhat:ansible_automation_platform:2.5::el8range: sha256:07673470fb62db8bec12ec20b2500228c0c6d5108916dd936d91e10610b783d1
    • cpe:/a:redhat:ansible_automation_platform:2.5::el9range: 0:4.15.0-1.el9ap
    • cpe:/a:redhat:ansible_automation_platform:2.6::el9range: sha256:142125ce7f176ce4d9755f3124714bbfd8e10a687378988761d5451bd135ca76
    • cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9range: 0:1.2.1-1.el9ap
    • (no CPE)

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.