Home

Description

A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-04 | Updated 2026-05-05 | Assigner redhat




HIGH: 8.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

Authentication Bypass by Primary Weakness

Product status

Default status
affected

0:4.6.28-3.el8ap (rpm) before *
unaffected

Default status
affected

0:2.5.20260422-2.el8ap (rpm) before *
unaffected

Default status
affected

0:2.5.20260422-2.el8ap (rpm) before *
unaffected

Default status
affected

0:4.6.28-3.el9ap (rpm) before *
unaffected

Default status
affected

0:2.5.20260422-2.el9ap (rpm) before *
unaffected

Default status
affected

0:2.5.20260422-2.el9ap (rpm) before *
unaffected

Default status
affected

0:4.7.11-2.el9ap (rpm) before *
unaffected

Default status
affected

0:2.6.20260422-1.el9ap (rpm) before *
unaffected

Default status
affected

0:2.6.20260422-1.el9ap (rpm) before *
unaffected

Default status
affected

1777377014 (rpm) before *
unaffected

Default status
affected

1777311120 (rpm) before *
unaffected

Timeline

2026-04-14:Reported to Red Hat.
2026-05-04:Made public.

Credits

This issue was discovered by Robin Bobbitt (Red Hat).

References

access.redhat.com/errata/RHSA-2026:13508 (RHSA-2026:13508) vendor-advisory

access.redhat.com/errata/RHSA-2026:13512 (RHSA-2026:13512) vendor-advisory

access.redhat.com/errata/RHSA-2026:13545 (RHSA-2026:13545) vendor-advisory

access.redhat.com/security/cve/CVE-2026-6266 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2458142 (RHBZ#2458142) issue-tracking

cve.org (CVE-2026-6266)

nvd.nist.gov (CVE-2026-6266)

Download JSON