4060 matches found
CVE-2026-12726
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...
CVE-2026-12726 Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...
CVE-2026-12726
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...
Astra Linux – Vulnerability in Ansible
A flaw was discovered in the Ansible Engine when using the moduleargs feature. Tasks executed with the --check-mode option do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The greatest threat posed by this vulnerability is...
Linux Distros Unpatched Vulnerability : CVE-2026-44188
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access t...
CVE-2026-44188
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...
Important: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.7 Container Release Update
An update is now available for Red Hat Ansible Automation Platform 2.7 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams,...
CVE-2026-44188 Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...
CVE-2026-44188 Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...
EUVD-2026-36702
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...
CVE-2026-44188
Affects Ansible Lightspeed (and Red Hat Ansible Automation Platform context) via insufficient session expiration that allows a valid OAuth token to remain usable after logout, enabling persistent access and unauthorized read of inventories, playbooks, and config data. The connected Red Hat adviso...
PT-2026-49189
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...
Critical Photon OS Security Update - PHSA-2026-5.0-0881
Updates of 'ansible', 'httpd' packages of Photon OS have been released...
UBUNTU-CVE-2026-44188
A flaw was found in Ansible Lightspeed. This vulnerability, related to...
CVE-2026-11332 affecting package ansible for versions less than 2.17.11-2
CVE-2026-11332 affecting package ansible for versions less than 2.17.11-2. A patched version of the package is available...
ansible-core-2.21.0-3.1 on GA media (moderate)
ansible-core-2.21.0-3.1 on GA media Announcement ID: openSUSE-SU-2026:11007-1 Rating: moderate Cross-References: CVE-2026-11332 CVSS scores: CVE-2026-11332 SUSE : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can no...
OPENSUSE-SU-2026:11007-1 ansible-core-2.21.0-3.1 on GA media
These are all security issues fixed in the ansible-core-2.21.0-3.1 package on the GA media of openSUSE Tumbleweed...
Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-11332)
The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-11332 advisory. - A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency...
CVE-2026-45552 Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...
EUVD-2026-36035
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...