CVE-2025-9908

EUVD-2025-208133

27.02.2026, 08:17

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.7 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
redhat	ansible_automation_platform	𝑥 < 2.6
redhat	ansible_developer	1.2
redhat	ansible_developer	1.3
redhat	ansible_inside	1.3
redhat	ansible_inside	1.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://access.redhat.com/errata/RHSA-2025:19201

https://access.redhat.com/errata/RHSA-2025:19221

https://access.redhat.com/errata/RHSA-2025:23069

https://access.redhat.com/errata/RHSA-2025:23131

https://access.redhat.com/security/cve/CVE-2025-9908

https://bugzilla.redhat.com/show_bug.cgi?id=2392835