CVE-2025-9908Sensitive Information Exposure in Redhat Ansible Automation Platform

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
6.7MEDIUMNVD
EPSS
0.0%
top 98.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat Ansible Automation PlatformRedhat Ansible DeveloperRedhat Ansible Inside
Timeline
PublishedFeb 27

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages3 packages

NVDredhat/ansible_inside1.3, 1.4+1
NVDredhat/ansible_developer1.2, 1.3+1

🔴Vulnerability Details

2
GHSA
GHSA-c2g3-cfch-p5h4: A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams2026-02-27
CVEList
Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams2026-02-27

📋Vendor Advisories

1
Red Hat
event-driven-ansible: Sensitive Internal Headers Disclosure in AAP EDA Event Streams2025-09-17
CVE-2025-9908 — Sensitive Information Exposure | cvebase