CVE-2025-14025

high

Description

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).

References

Advisories
More

https://access.redhat.com/errata/RHSA-2026:0409

https://access.redhat.com/errata/RHSA-2026:0408

https://access.redhat.com/errata/RHSA-2026:0361

https://access.redhat.com/errata/RHSA-2026:0360

https://bugzilla.redhat.com/show_bug.cgi?id=2418785

https://access.redhat.com/security/cve/CVE-2025-14025

https://access.redhat.com/articles/7136004

Details

Source: Mitre, NVD

Published: 2026-01-08

Updated: 2026-01-08

Risk Information

CVSS v2

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.5

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00058