CVE-2025-9907 MEDIUM

CVE-2025-9907: Event-driven-ansible: event stream test mode exposes sensitive headers in aap eda

Weakness CWE-200 · Info exposure

Published February 27, 2026

Last update February 28, 2026

View on NVD All CVEs

CVSS base score

6.7/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

February 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-9907 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2025-9907: Event-driven-ansible: event stream test mode exposes sensitive headers in aap eda

01Description

02Disclosure timeline

03References

04Related CVE