Bug 2458142 (CVE-2026-6266)

Summary: CVE-2026-6266 aap-controller: aap-gateway: Account hijacking and unauthorized access via unverified email linking
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dschmidt, erezende, jlanda, kshier, security-response-team, simaishi, smcdonal, stcannon, teagle, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-14 06:33:43 UTC 
AAP 2.6 introduced a user auto-link strategy that automatically links an external IDP identity to an existing AAP user account when the IDP-provided email matches a user's email. The system performs no verification that the email is actually proven to belong to the authenticating user, and the behavior is hard-coded with no admin toggle. This creates two primary exploitable attack paths: (1) a regular AAP user can pre-position their account to pre-hijack a victim's first IDP login; (2) an attacker who can set an arbitrary email on a configured IDP can link to any existing AAP account, including admin accounts.
Comment 3 errata-xmlrpc 2026-05-04 13:59:06 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 10
  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2026:13508 https://access.redhat.com/errata/RHSA-2026:13508
Comment 4 errata-xmlrpc 2026-05-04 14:15:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:13512 https://access.redhat.com/errata/RHSA-2026:13512