Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Feb 27, 2026
Aap-gateway: improper path validation in gateway allows credential exfiltration
CVE-2025-9909
Description
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or socially engineered administrator can configure a honey-pot route to intercept and exfiltrate user credentials, potentially maintaining persistent access or creating a backdoor even after their permissions are revoked.
Affected products
5- Red Hat/Red Hat Ansible Automation Platform 2.5v5cpe:/a:redhat:ansible_automation_platform:2.5::el8Range: sha256:93b5d66f1fa8a3241d999df47c8430c13fa11b751b5fc3d4a8fd2a39d282b3fd
- Red Hat/Red Hat Ansible Automation Platform 2.6v5cpe:/a:redhat:ansible_automation_platform:2.6::el9Range: sha256:d6bd83a65b6a0ca9cead0652736c51dd1ab02fc8d9ee2a5c19e413a5239c0cb7
- Red Hat/Red Hat Ansible Automation Platform 2.6 for RHEL 9v5cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9Range: 0:2.6.20251119-1.el9ap
- Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 9v5cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9Range: 0:4.15.0-1.el9ap
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/errata/RHSA-2025:21768mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:21775mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:23069mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2025:23131mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2025-9909mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.