CVE-2026-6266

CVE-2026-6266 is a vulnerability in the Ansible Automation Platform (AAP) gateway, specifically affecting the user auto-link strategy introduced in AAP 2.6. This feature automatically links an external Identity Provider (IDP) identity to an existing AAP user account based solely on email matching, without verifying email ownership. Published on 2026-05-04, the flaw carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-305 (Authentication Bypass by Primary Weakness).

A remote attacker with low privileges can exploit this issue by manipulating the email provided through the IDP during authentication. By controlling or spoofing an IDP identity with an email address matching a target AAP user account, the attacker can link their IDP identity to the victim's account, potentially hijacking it. This grants unauthorized access to the victim's privileges, including administrative accounts if targeted, enabling high-impact confidentiality and integrity violations such as data exfiltration or privilege escalation.

Red Hat has addressed the vulnerability through multiple security errata, including RHSA-2026:13508, RHSA-2026:13512, and RHSA-2026:13545, with additional details available on the CVE page and Bugzilla entry 2458142. Security practitioners should apply these patches promptly to mitigate the risk.