Cyber Resilience

CVE-2026-6266

HighUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0040 31.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6266 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-12 (Identity Proofing).

Deeper analysis

CVE-2026-6266 is a vulnerability in the Ansible Automation Platform (AAP) gateway, specifically affecting the user auto-link strategy introduced in AAP 2.6. This feature automatically links an external Identity Provider (IDP) identity to an existing AAP user account based solely on email matching, without verifying email ownership. Published on 2026-05-04, the flaw carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-305 (Authentication Bypass by Primary Weakness).

A remote attacker with low privileges can exploit this issue by manipulating the email provided through the IDP during authentication. By controlling or spoofing an IDP identity with an email address matching a target AAP user account, the attacker can link their IDP identity to the victim's account, potentially hijacking it. This grants unauthorized access to the victim's privileges, including administrative accounts if targeted, enabling high-impact confidentiality and integrity violations such as data exfiltration or privilege escalation.

Red Hat has addressed the vulnerability through multiple security errata, including RHSA-2026:13508, RHSA-2026:13512, and RHSA-2026:13545, with additional details available on the CVE page and Bugzilla entry 2458142. Security practitioners should apply these patches promptly to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows…

more

a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The flawed email-based auto-link in the AAP gateway (auth bypass via CWE-305) directly enables remote exploitation of a public-facing service (T1190) to hijack existing valid accounts (T1078) without ownership verification; targeting privileged accounts yields privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0869Shared CWE-305
CVE-2025-41733Shared CWE-305
CVE-2024-12802Shared CWE-305
CVE-2026-30849Shared CWE-305
CVE-2025-47776Shared CWE-305
CVE-2025-68435Shared CWE-305
CVE-2025-36386Shared CWE-305
CVE-2026-41054Shared CWE-305
CVE-2026-4670Shared CWE-305
CVE-2025-13915Shared CWE-305

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes requirements for external identity providers and authorization servers to ensure secure identity linking with verification beyond unverified email matching, directly preventing account hijacking via IDP manipulation.

prevent

Mandates identity proofing processes to verify ownership and authenticity of identifiers like email addresses before linking external IDP identities to AAP accounts.

prevent

Requires secure account management practices, including validation and approval for linking external identities to existing accounts, mitigating unauthorized takeovers.

References