CVE-2026-44188 MEDIUM

CVE-2026-44188: Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration

Vendor Red Hat
Product Red Hat Ansible Automation Platform 2
Weakness CWE-613 · Insufficient session expiration
Published June 15, 2026
Last update June 15, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.

Key dates

02Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated