CVE-2026-0598

Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api

CVSS 4.2 MEDIUMEPSS 0.2%CWE-283

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Produtos afetados

Red Hat · Red Hat Ansible Automation Platform 2 Red Hat · Red Hat Ansible Automation Platform 2.6

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://access.redhat.com/errata/RHSA-2026:13545 https://access.redhat.com/security/cve/CVE-2026-0598 https://bugzilla.redhat.com/show_bug.cgi?id=2427094