HomeDescription
A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
PUBLISHED Reserved 2026-01-05 | Published 2026-02-06 | Updated 2026-02-06 | Assigner redhat
MEDIUM: 4.2CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Problem types
Unverified Ownership
Product status
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Timeline
| 2026-01-05: | Reported to Red Hat. |
| 2026-02-06: | Made public. |
Credits
Red Hat would like to thank Laura Pardo (RedHat) for reporting this issue.
References
access.redhat.com/security/cve/CVE-2026-0598 vdb-entry
bugzilla.redhat.com/show_bug.cgi?id=2427094 (RHBZ#2427094) issue-tracking
cve.org (CVE-2026-0598)
nvd.nist.gov (CVE-2026-0598)
Download JSON
