Cyber Resilience

CVE-2025-14025

High

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0039 30.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14025 is a high-severity Incorrect Execution-Assigned Permissions (CWE-279) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14025 is a vulnerability in Ansible Automation Platform (AAP) involving read-only scoped OAuth2 API tokens. These tokens are enforced at the Gateway level only for Gateway-specific operations, but the flaw allows them to perform write operations on backend services such as Controller, Hub, and EDA. Exploitation is constrained by role-based access controls (RBAC). The issue is rated with a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-279 (Incorrect Implementation of Authentication and Session Management).

An attacker with low privileges, such as one possessing a read-only OAuth2 API token, can exploit this over the network with high attack complexity and no user interaction required. Successful exploitation enables write operations on AAP backend services beyond the intended read-only scope, with the attacker's impact limited solely by their RBAC permissions. This results in high confidentiality, integrity, and availability impacts across a changed scope.

Red Hat advisories, including the security article at https://access.redhat.com/articles/7136004 and errata RHSA-2026:0360, RHSA-2026:0361, RHSA-2026:0408, and RHSA-2026:0409, address the vulnerability through updated packages for affected AAP components. Security practitioners should apply these patches promptly to enforce proper token scoping across all services.

EU & UK References

Vulnerability details

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller,…

more

Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Vuln directly enables privilege escalation by bypassing OAuth2 token read-only scoping, allowing write access on backends within RBAC limits; also maps to abuse of application access tokens via the mis-enforced OAuth2 material.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20062Shared CWE-279

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations, directly addressing the failure of backend services to respect read-only OAuth2 token scopes and prevent unauthorized write operations.

prevent

SI-2 requires timely identification, reporting, and correction of flaws, enabling patching of the AAP token enforcement vulnerability as provided in Red Hat errata.

prevent

AC-6 enforces least privilege through RBAC, limiting the impact of exploited read-only tokens to only the permissions assigned to the attacker's role.

References