Bug 2418785 (CVE-2025-14025)

Summary: CVE-2025-14025 ansible-automation-platform/aap-gateway: aap-gateway: Read-only Personal Access Token (PAT) bypasses write restrictions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carogers, erezende, haoli, hkataria, jajackso, jcammara, jmitchel, jneedle, kegrant, koliveir, kshier, mabashia, pbohmill, pbraun, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-04 12:33:03 UTC 
See bug report https://issues.redhat.com/browse/AAP-59025
Create a Personal Access Token (PAT) on Gateway, the user account in this was an admin account. Configure the token's scope to be read-only. Use the token to attempt a write operation on the Controller component. The write operation proceeds despite the token being read-only. Attempt to create a new team on Gateway and the operation correctly fails as Gateway uses the read-only scope. While the user account was an admin account, the token's read-only scope should have been acknowledged. This does not feel like a true escalation of privileges vulnerability since the user account was an admin.
Comment 3 errata-xmlrpc 2026-01-08 14:09:28 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2026:0360 https://access.redhat.com/errata/RHSA-2026:0360
Comment 4 errata-xmlrpc 2026-01-08 14:09:40 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2026:0361 https://access.redhat.com/errata/RHSA-2026:0361