AAP 2.6 introduced a user auto-link strategy that automatically links an external IDP identity to an existing AAP user account when the IDP-provided email matches a user's email. The system performs no verification that the email is actually proven to belong to the authenticating user, and the behavior is hard-coded with no admin toggle. This creates two primary exploitable attack paths: (1) a regular AAP user can pre-position their account to pre-hijack a victim's first IDP login; (2) an attacker who can set an arbitrary email on a configured IDP can link to any existing AAP account, including admin accounts.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.6 for RHEL 10 Red Hat Ansible Automation Platform 2.6 for RHEL 9 Via RHSA-2026:13508 https://access.redhat.com/errata/RHSA-2026:13508
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 9 Red Hat Ansible Automation Platform 2.5 for RHEL 8 Via RHSA-2026:13512 https://access.redhat.com/errata/RHSA-2026:13512