CVE-2025-2877 MEDIUM

CVE-2025-2877: Event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in eda

Weakness CWE-1295
Published March 28, 2025
Last update March 20, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.

Key dates

02Disclosure timeline

March 28, 2025 CVE published
March 20, 2026 Record updated