CVE-2026-44188
Received Received - Intake
Session Fixation in Ansible Lightspeed

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Red Hat, Inc.

Description
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-44188
EUVD
EUVD-2026-36702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
red_hat ansible_lightspeed *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44188 is a security flaw in Ansible Lightspeed related to insufficient session expiration.

If an attacker obtains a valid OAuth access token before a user logs out, they can maintain persistent access to the Ansible Lightspeed instance.

This happens because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration.

As a result, the attacker can continue to authenticate and access sensitive data such as inventories, playbooks, and configuration files.

Impact Analysis

This vulnerability allows a remote attacker to maintain unauthorized persistent access to your Ansible Lightspeed instance.

If an attacker exfiltrates a valid OAuth access token before a user logs out, they can continue to authenticate without needing to reauthenticate.

This can lead to unauthorized read access to sensitive Ansible resources such as inventories, playbooks, and configuration data.

Mitigation Strategies

To mitigate this vulnerability, users should apply the security update provided by Red Hat in the Ansible Automation Platform 2.7 Container Release as detailed in the RHSA-2026:25928 advisory.

It is also recommended to apply all previously released errata relevant to your systems before applying this update to ensure comprehensive protection.

Compliance Impact

The vulnerability allows unauthorized persistent access to sensitive data within Ansible Lightspeed due to insufficient session expiration and failure to invalidate OAuth tokens. This unauthorized access to sensitive information could potentially lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

However, the provided context and resources do not explicitly mention the impact on compliance with specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart