CVE-2025-9908

medium

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2025:23131

https://access.redhat.com/errata/RHSA-2025:23069

https://access.redhat.com/errata/RHSA-2025:19221

https://access.redhat.com/errata/RHSA-2025:19201

https://bugzilla.redhat.com/show_bug.cgi?id=2392835

https://access.redhat.com/security/cve/CVE-2025-9908

Details

Source: Mitre, NVD

Published: 2026-02-27

Updated: 2026-02-27

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.7

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: Medium

EPSS

EPSS: 0.0001