CVE-2026-6266
Awaiting Analysis Awaiting Analysis - Queue
Account Hijacking via Email Matching in AAP Gateway

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: Red Hat, Inc.

Description
A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6266
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat aap 2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the AAP gateway's user auto-link strategy introduced in AAP 2.6. It automatically links an external Identity Provider (IDP) identity to an existing AAP user account based solely on matching email addresses without verifying that the user actually owns the email. Because of this, a remote attacker can manipulate the IDP-provided email to hijack a victim's account or gain unauthorized access to other accounts, including administrative ones.

Impact Analysis

The vulnerability can lead to unauthorized access to user accounts, including administrative accounts, by allowing attackers to hijack accounts through email manipulation. This can result in compromised data, unauthorized actions within the system, and potential disruption of services.

Compliance Impact

The vulnerability allows a remote attacker to hijack user accounts or gain unauthorized access, including to administrative accounts, by exploiting the automatic linking of external Identity Provider identities without verifying email ownership.

Such unauthorized access could lead to exposure or misuse of sensitive personal or health information, potentially violating data protection regulations such as GDPR or HIPAA that require strict access controls and protection of personal data.

Therefore, this flaw could negatively impact compliance with these standards by undermining the confidentiality and integrity of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart