Security News

Cybersecurity news aggregator

๐Ÿ”„
HIGH Updates Red Hat Errata

RHSA-2026:13508: Important: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update

red-hatansiblecve-2026-6266cve-2026-27459cve-2026-32597
This Red Hat security advisory addresses multiple vulnerabilities in Ansible Automation Platform 2.6, including critical and high-severity issues such as account hijacking via unverified email linking (CVE-2026-6266, CVSS 8.3), a DTLS cookie callback buffer overflow in pyOpenSSL (CVE-2026-27459, CVSS 9.8), and PyJWT accepting unknown `crit` header extensions (CVE-2026-32597, CVSS 7.5). According to NVD data, the pyOpenSSL vulnerability affects versions 22.0.0 through 25.x and is fixed in version 26.0.0, while the PyJWT vulnerability affects versions prior to 2.12.0. The advisory is rated Important and users should apply the provided update.
Read Full Article →

Red Hat Product Errata RHSA-2026:13508 - Security Advisory Issued: 2026-05-04 Updated: 2026-05-04 RHSA-2026:13508 - Security Advisory Overview Updated Packages Synopsis Important: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update is now available for Red Hat Ansible Automation Platform 2.6 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es): automation-controller: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) automation-controller: DTLS cookie callback buffer overflow (CVE-2026-27459) automation-controller: PyJWT accepts unknown `crit` header extensions (RFC 7515 ยง4.1.11 MUST violation) (CVE-2026-32597) automation-controller: denial of service via malformed HTML-like sequences (CVE-2025-69534) automation-gateway: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) automation-gateway-proxy: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) automation-platform-ui: Rollup: Remote Code Execution via Path Traversal Vulnerability (CVE-2026-27606) automation-platform-ui: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996) python3.12-django-ansible-base: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) python3.12-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534) python3.12-jwcrypto: JWCrypto: Memory exhaustion via crafted compressed JWE tokens (CVE-2026-39373) python3.12-pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion (CVE-2026-30922) python3.12-pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID (CVE-2026-23490) python3.12-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) receptor: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. For details about this release, refer to the release notes listed in the References section. Solution For details on how to apply this update, refer to Ansible Automation Platform documentation. Affected Products Red Hat Ansible Automation Platform 2.6 for RHEL 10 x86_64 Red Hat Ansible Automation Platform 2.6 for RHEL 10 s390x Red Hat Ansible Automation Platform 2.6 for RHEL 10 ppc64le Red Hat Ansible Automation Platform 2.6 for RHEL 10 aarch64 Red Hat Ansible Automation Platform 2.6 for RHEL 9 x86_64 Red Hat Ansible Automation Platform 2.6 for RHEL 9 s390x Red Hat Ansible Automation Platform 2.6 for RHEL 9 ppc64le Red Hat Ansible Automation Platform 2.6 for RHEL 9 aarch64 Red Hat Ansible Inside 1.4 x86_64 Red Hat Ansible Inside 1.4 s390x Red Hat Ansible Inside 1.4 ppc64le Red Hat Ansible Inside 1.4 aarch64 Red Hat Ansible Developer 1.3 for RHEL 10 x86_64 Red Hat Ansible Developer 1.3 for RHEL 10 s390x Red Hat Ansible Developer 1.3 for RHEL 10 ppc64le Red Hat Ansible Developer 1.3 for RHEL 10 aarch64 Red Hat Ansible Developer 1.3 for RHEL 9 x86_64 Red Hat Ansible Developer 1.3 for RHEL 9 s390x Red Hat Ansible Developer 1.3 for RHEL 9 ppc64le Red Hat Ansible Developer 1.3 for RHEL 9 aarch64 Fixes BZ - 2430472 - CVE-2026-23490 pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID BZ - 2436341 - CVE-2025-14550 Django: Django: Denial of Service via crafted request with duplicate headers BZ - 2441268 - CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns BZ - 2442530 - CVE-2026-27606 rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability BZ - 2444839 - CVE-2025-69534 python-markdown: denial of service via malformed HTML-like sequences BZ - 2445356 - CVE-2026-25679 net/url: Incorrect parsing of IPv6 host literals in net/url BZ - 2447194 - CVE-2026-32597 pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 ?4.1.11 MUST violation) BZ - 2448503 - CVE-2026-27459 pyOpenSSL: DTLS cookie callback buffer overflow BZ - 2448553 - CVE-2026-30922 pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion BZ - 2456187 - CVE-2026-39373 JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens BZ - 2458142 - CVE-2026-6266 aap-controller: aap-gateway: Account hijacking and unauthorized access via unverified email linking CVEs CVE-2025-14550 CVE-2025-69534 CVE-2026-6266 CVE-2026-23490 CVE-2026-25679 CVE-2026-26996 CVE-2026-27459 CVE-2026-27606 CVE-2026-30922 CVE-2026-32597 CVE-2026-39373 References https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.6/html/release_notes/patch_releases https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.6#Upgrade Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Ansible Automation Platform 2.6 for RHEL 10 SRPM ansible-core-2.16.18-2.el10ap.src.rpm SHA-256: c71a190797b8f4451e41c3895764fbdd67c9d035be107755bc0ebe45176199d2 ansible-lint-26.1.1-2.el10ap.src.rpm SHA-256: 5a645a49ef36e35b3e849f51866a907df393fbe316629bd593af122b56e1ac91 python-black-26.3.1-2.el10ap.src.rpm SHA-256: a40ed54428e4e74fc57a0d2782b3e565a186b399c39dacf11bcf7f158caed502 python-pathspec-1.0.4-2.el10ap.src.rpm SHA-256: 75f08288eb5a8a75e14f7d1b49569f6592df0e44ace5de5d075c3979bb750d02 python-pytokens-0.4.1-2.el10ap.src.rpm SHA-256: 2a6bbcb33f52cbd697104fca2bdb29565e1b7ff0acd9f9d65d6c3f68b4e1c780 python-wheel-0.41.2-5.el10_1.1.src.rpm SHA-256: 9b3f84794cbf2993102725edefc1d50817a28a48116c490b8ec6d6100ced8185 receptor-1.6.4-3.el10ap.src.rpm SHA-256: be04cd2c116e79487f42c2513d99c2ba204d0450de74639d6fbc1fda404b0a4c yamllint-1.38.0-2.el10ap.src.rpm SHA-256: cf499674a3ce57d1987c24af48eac81e03486e7dd07002731537af03125fd9b2 x86_64 ansible-core-2.16.18-2.el10ap.noarch.rpm SHA-256: d4ac612c27a37759456eb28e53c6a14e65ae84fa32160db0661aac128f2469ce ansible-lint-26.1.1-2.el10ap.noarch.rpm SHA-256: 908d34791c6fe331b14e3cd19c8e8887c275d994c09a10fb81ea123c6ecdf64b python-pytokens-debugsource-0.4.1-2.el10ap.x86_64.rpm SHA-256: 4e7db2df75477d524b2eb506aa720bfe9af3509388f3c6f90f78703e5137326b python3-black-26.3.1-2.el10ap.noarch.rpm SHA-256: 97da142557639a08e6348806a43e243741d3ecd104f516b11972705a47151259 python3-pathspec-1.0.4-2.el10ap.noarch.rpm SHA-256: c457e4617e881c58c3cf4732f4ea441fdf75687551552ef41a4547dd147bdcad python3-pytokens-0.4.1-2.el10ap.x86_64.rpm SHA-256: 939644fd4be1c100506d50329e026f3c06ce06018f1c2805332dd95211f75efb python3-pytokens-debuginfo-0.4.1-2.el10ap.x86_64.rpm SHA-256: 0535aae76fc119826b5e6da6ca89ae44be4cab1cbda63480ab3e5c0ef8ffd73c python3-wheel-wheel-0.41.2-5.el10_1.1.noarch.rpm SHA-256: 58fe77f03bd69b8a57a73c6c0098d0b90453f6a67a77cfe4c36f2b68ff3b27ea receptor-1.6.4-3.el10ap.x86_64.rpm SHA-256: b8ef68908501ccd80a95792efeb9c87ad90d83e92e270ca536029b004b943f2d receptor-debuginfo-1.6.4-3.el10ap.x86_64.rpm SHA-256: 1b950907539e74f32379b1a56c13c58c3fcb26a40cd3340cbb524c29dab1f3c1 receptor-debugsource-1.6.4-3.el10ap.x86_64.rpm SHA-256: 93d04886ba72de20dce8802990062083ecfc0dc455b0eb8615d6e384b49ba814 receptorctl-1.6.4-3.el10ap.noarch.rpm SHA-256: 7a930b33ba3f050fdc94c0074d1bea5fe45acf7e2dafdb58a5346981bd42c017 yamllint-1.38.0-2.el10ap.noarch.rpm SHA-256: 7cb7eec8780b743e40bd4bb4d65dddb7a4fee1fb0da93816f7110b77b78ced2d s390x ansible-core-2.16.18-2.el10ap.noarch.rpm SHA-256: d4ac612c27a37759456eb28e53c6a14e65ae84fa32160db0661aac128f2469ce ansible-lint-26.1.1-2.el10ap.noarch.rpm SHA-256: 908d34791c6fe331b14e3cd19c8e8887c275d994c09a10fb81ea123c6ecdf64b python-pytokens-debugsource-0.4.1-2.el10ap.s390x.rpm SHA-256: f559cf432a744f2a2b56644dfe3258e23f98c90f2055a3d1835ef86035db1484 python3-black-26.3.1-2.el10ap.noarch.rpm SHA-256: 97da142557639a08e6348806a43e243741d3ecd104f516b11972705a47151259 python3-pathspec-1.0.4-2.el10ap.noarch.rpm SHA-256: c457e4617e881c58c3cf4732f4ea441fdf75687551552ef41a4547dd147bdcad python3-pytokens-0.4.1-2.el10ap.s390x.rpm SHA-256: 6440ec0829cf154a47e7d4ac7df451f289a38beb53f3d376948f74eeeee1d8e4 python3-pytokens-debuginfo-0.4.1-2.el10ap.s390x.rpm SHA-256: e5eae7c8c3b64da1f50ab693789b886771c8a3a229bef3d5376b5b2b29203914 python3-wheel-wheel-0.41.2-5.el10_1.1.noarch.rpm SHA-256: 58fe77f03bd69b8a57a73c6c0098d0b90453f6a67a77cfe4c36f2b68ff3b27ea receptor-1.6.4-3.el10ap.s390x.rpm SHA-256: 0e89a9d5a535b553f1c72bbf6325c7b346f927ffe7305bbbb200bb98cc6e64f8 receptor-debuginfo-1.6.4-3.el10ap.s390x.rpm SHA-256: aa6caef38fd8ac9729709ff6e6850b6760b2ade0e1e1e81b5ce0688097c0249e receptor-debugsource-1.6.4-3.el10ap.s390x.rpm SHA-256: 63f7337d614a17ce8ccc3768d85f2274f912bd0bdd11dfc4e2c11514475f5f77 receptorctl-1.6.4-3.el10ap.noarch.rpm SHA-256: 7a930b33ba3f050fdc94c0074d1bea5fe45acf7e2dafdb58a5346981bd42c017 yamllint-1.38.0-2.el10ap.noarch.rpm SHA-256: 7cb7eec8780b743e40bd4bb4d65dddb7a4fee1fb0da93816f7110b77b78ced2d ppc64le ansible-core-2.16.18-2.el10ap.noarch.rpm SHA-256: d4

Related Articles

HIGH RHSA-2026:13512: Important: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update Red Hat Errata INFO RHSA-2026:14835: Important: Satellite 6.18.5 Async Update Red Hat Errata INFO RHSA-2026:14873: Important: Satellite 6.17.8 Async Update Red Hat Errata INFO RHSA-2026:14874: Important: Satellite 6.16.8 Async Update Red Hat Errata
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn