CVE-2025-9907
Received Received - Intake

Sensitive Data Exposure in Red Hat Ansible EDA Event Stream API

Vulnerability report for CVE-2025-9907, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-27

Last updated on: 2026-03-26

Assigner: Red Hat, Inc.

Description

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-27
Last Modified
2026-03-26
Generated
2026-07-06
AI Q&A
2026-02-27
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
redhat ansible_developer 1.2
redhat ansible_inside 1.3
redhat ansible_automation_platform to 2.6 (exc)
redhat ansible_developer 1.3
redhat ansible_inside 1.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Red Hat Ansible Automation Platform, specifically in the Event-Driven Ansible (EDA) Event Stream API. It allows sensitive client credentials and internal infrastructure headers to be exposed through the test_headers field when an event stream is running in test mode.

Impact Analysis

The impact of this vulnerability includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, potential privilege escalation if high-value tokens are exposed, and persistent exposure of sensitive data to all users who have read access to the event stream.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart