CVE-2025-9907

CWE-200Information Exposure4 documents4 sources
Severity
6.7MEDIUM
EPSS
0.0%
top 98.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat Ansible Automation PlatformRedhat Ansible DeveloperRedhat Ansible Inside
Timeline
PublishedFeb 27

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to al

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages3 packages

NVDredhat/ansible_inside1.3, 1.4+1
NVDredhat/ansible_developer1.2, 1.3+1

🔴Vulnerability Details

2
GHSA
GHSA-3mcc-r9wq-f9g6: A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API2026-02-27
CVEList
Event-driven-ansible: event stream test mode exposes sensitive headers in aap eda2026-02-27

📋Vendor Advisories

1
Red Hat
event-driven-ansible: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA2025-09-17