CVE-2026-6266
Published: 04 May 2026
Summary
CVE-2026-6266 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-12 (Identity Proofing).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes requirements for external identity providers and authorization servers to ensure secure identity linking with verification beyond unverified email matching, directly preventing account hijacking via IDP manipulation.
Mandates identity proofing processes to verify ownership and authenticity of identifiers like email addresses before linking external IDP identities to AAP accounts.
Requires secure account management practices, including validation and approval for linking external identities to existing accounts, mitigating unauthorized takeovers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The flawed email-based auto-link in the AAP gateway (auth bypass via CWE-305) directly enables remote exploitation of a public-facing service (T1190) to hijack existing valid accounts (T1078) without ownership verification; targeting privileged accounts yields privilege escalation (T1068).
NVD Description
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows…
more
a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
Deeper analysisAI
CVE-2026-6266 is a vulnerability in the Ansible Automation Platform (AAP) gateway, specifically affecting the user auto-link strategy introduced in AAP 2.6. This feature automatically links an external Identity Provider (IDP) identity to an existing AAP user account based solely on email matching, without verifying email ownership. Published on 2026-05-04, the flaw carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-305 (Authentication Bypass by Primary Weakness).
A remote attacker with low privileges can exploit this issue by manipulating the email provided through the IDP during authentication. By controlling or spoofing an IDP identity with an email address matching a target AAP user account, the attacker can link their IDP identity to the victim's account, potentially hijacking it. This grants unauthorized access to the victim's privileges, including administrative accounts if targeted, enabling high-impact confidentiality and integrity violations such as data exfiltration or privilege escalation.
Red Hat has addressed the vulnerability through multiple security errata, including RHSA-2026:13508, RHSA-2026:13512, and RHSA-2026:13545, with additional details available on the CVE page and Bugzilla entry 2458142. Security practitioners should apply these patches promptly to mitigate the risk.
Details
- CWE(s)