CVE-2025-9907
Received
Received - Intake
Sensitive Data Exposure in Red Hat Ansible EDA Event Stream API
Publication date: 2026-02-27
Last updated on: 2026-03-26
Assigner: Red Hat, Inc.
Description
Description
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | ansible_developer | 1.2 |
| redhat | ansible_inside | 1.3 |
| redhat | ansible_automation_platform | to 2.6 (exc) |
| redhat | ansible_developer | 1.3 |
| redhat | ansible_inside | 1.4 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
