CVE-2025-49520 HIGH

CVE-2025-49520: Event-driven-ansible: authenticated argument injection in git url in eda project creation

Weakness CWE-88
Published June 30, 2025
Last update November 13, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

Key dates

02Disclosure timeline

June 30, 2025 CVE published
November 13, 2025 Record updated