What is CVE-2026-6266?

CVE-2026-6266 is a high-severity vulnerability in Red Hat Ansible Automation Platform 2.5 For Rhel 8, classified under Authentication Bypass by Primary Weakness. CVSS score: 8.3/10. Published 2026-05-04.

How severe is CVE-2026-6266?

High severity. CVSS v3 base score is 8.3 out of 10.

Vulnerability in Red Hat Ansible Automation Platform 2.5 For Rhel 8

CVE-2026-6266

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email owner…

EPSS: 0.000 (12.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L.

Affected products

Red Hat Ansible Automation Platform 2.5 For Rhel 8 — versions 0:4.6.28-3.el8ap, 0:2.5.20260422-2.el8ap
Red Hat Ansible Automation Platform 2.5 For Rhel 9 — versions 0:4.6.28-3.el9ap, 0:2.5.20260422-2.el9ap
Red Hat Ansible Automation Platform 2.6 — versions 1777377014, 1777311120
Red Hat Ansible Automation Platform 2.6 For Rhel 9 — versions 0:4.7.11-2.el9ap, 0:2.6.20260422-1.el9ap

Weakness classification (CWE)

CWE-305 — Authentication Bypass by Primary Weakness

References

RHSA-2026:13508 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_REDHAT, vdb-entry)
RHBZ#2458142 (x_refsource_REDHAT, issue-tracking)
RHSA-2026:13512 (x_refsource_REDHAT, vendor-advisory)
RHSA-2026:13545 (x_refsource_REDHAT, vendor-advisory)

Frequently asked questions

What is CVE-2026-6266?: CVE-2026-6266 is a high-severity vulnerability in Red Hat Ansible Automation Platform 2.5 For Rhel 8, classified under Authentication Bypass by Primary Weakness. CVSS score: 8.3/10. Published 2026-05-04.
How severe is CVE-2026-6266?: High severity. CVSS v3 base score is 8.3 out of 10.