CVE-2025-14025
Published: 08 January 2026
Summary
CVE-2025-14025 is a high-severity Incorrect Execution-Assigned Permissions (CWE-279) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-14025 is a vulnerability in Ansible Automation Platform (AAP) involving read-only scoped OAuth2 API tokens. These tokens are enforced at the Gateway level only for Gateway-specific operations, but the flaw allows them to perform write operations on backend services such as Controller, Hub, and EDA. Exploitation is constrained by role-based access controls (RBAC). The issue is rated with a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-279 (Incorrect Implementation of Authentication and Session Management).
An attacker with low privileges, such as one possessing a read-only OAuth2 API token, can exploit this over the network with high attack complexity and no user interaction required. Successful exploitation enables write operations on AAP backend services beyond the intended read-only scope, with the attacker's impact limited solely by their RBAC permissions. This results in high confidentiality, integrity, and availability impacts across a changed scope.
Red Hat advisories, including the security article at https://access.redhat.com/articles/7136004 and errata RHSA-2026:0360, RHSA-2026:0361, RHSA-2026:0408, and RHSA-2026:0409, address the vulnerability through updated packages for affected AAP components. Security practitioners should apply these patches promptly to enforce proper token scoping across all services.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1455
Vulnerability details
A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller,…
more
Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln directly enables privilege escalation by bypassing OAuth2 token read-only scoping, allowing write access on backends within RBAC limits; also maps to abuse of application access tokens via the mis-enforced OAuth2 material.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations, directly addressing the failure of backend services to respect read-only OAuth2 token scopes and prevent unauthorized write operations.
SI-2 requires timely identification, reporting, and correction of flaws, enabling patching of the AAP token enforcement vulnerability as provided in Red Hat errata.
AC-6 enforces least privilege through RBAC, limiting the impact of exploited read-only tokens to only the permissions assigned to the attacker's role.