CVE-2025-9908
Received
Received - Intake
Information Disclosure in Red Hat Ansible EDA Event Streams
Vulnerability report for CVE-2025-9908, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-27
Last updated on: 2026-03-25
Assigner: Red Hat, Inc.
Description
Description
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | ansible_developer | 1.2 |
| redhat | ansible_inside | 1.3 |
| redhat | ansible_automation_platform | to 2.6 (exc) |
| redhat | ansible_developer | 1.3 |
| redhat | ansible_inside | 1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |