CVE-2025-9908 MEDIUM

CVE-2025-9908: Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams

Weakness CWE-200 · Info exposure
Published February 27, 2026
Last update March 3, 2026

CVSS base score

6.7/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 3, 2026 Record updated