Home

Description

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.

PUBLISHED Reserved 2026-05-05 | Published 2026-06-15 | Updated 2026-06-15 | Assigner redhat




MEDIUM: 5.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Insufficient Session Expiration

Product status

Default status
affected

1781025813 (rpm) before *
unaffected

Default status
affected

Default status
affected

Timeline

2026-05-05:Reported to Red Hat.
2026-06-15:Made public.

Credits

This issue was discovered by Laura Pardo (Red Hat Inc.).

References

access.redhat.com/errata/RHSA-2026:25928 (RHSA-2026:25928) vendor-advisory

access.redhat.com/security/cve/CVE-2026-44188 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2466764 (RHBZ#2466764) issue-tracking

cve.org (CVE-2026-44188)

nvd.nist.gov (CVE-2026-44188)

Download JSON