CVE-2025-9907

EUVD-2025-208132

27.02.2026, 08:17

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.7 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
redhat	ansible_automation_platform	𝑥 < 2.6
redhat	ansible_developer	1.2
redhat	ansible_developer	1.3
redhat	ansible_inside	1.3
redhat	ansible_inside	1.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://access.redhat.com/errata/RHSA-2025:19201

https://access.redhat.com/errata/RHSA-2025:19221

https://access.redhat.com/errata/RHSA-2025:23069

https://access.redhat.com/errata/RHSA-2025:23131

https://access.redhat.com/security/cve/CVE-2025-9907

https://bugzilla.redhat.com/show_bug.cgi?id=2392834