CVE-2025-14025 – This vulnerability in Ansible Automation Platfo... (How to Fix)

Q: What is the severity of CVE-2025-14025?

CVE-2025-14025 has a CVSS score of 8.5 (HIGH). This vulnerability in Ansible Automation Platform allows read-only OAuth2 API tokens to perform unauthorized write operations on backend services like Controller, Hub, and EDA. Attackers with read-only tokens could modify configurations, create resources, or delete data, limited only by RBAC permissions. Organizations using affected AAP versions with OAuth2 token authentication are at risk.

📋 TL;DR

This vulnerability in Ansible Automation Platform allows read-only OAuth2 API tokens to perform unauthorized write operations on backend services like Controller, Hub, and EDA. Attackers with read-only tokens could modify configurations, create resources, or delete data, limited only by RBAC permissions. Organizations using affected AAP versions with OAuth2 token authentication are at risk.

💻 Affected Systems

Products:

Ansible Automation Platform

Versions: Specific versions listed in Red Hat advisories (check RHSA-2026:0360, RHSA-2026:0361, RHSA-2026:0408, RHSA-2026:0409)

Operating Systems: Linux (RHEL-based distributions)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using OAuth2 API tokens with read-only scopes. Systems without OAuth2 token authentication or with properly patched gateways are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with a read-only token could gain full administrative control over backend services, leading to data destruction, configuration tampering, or deployment of malicious automation content across the entire infrastructure.

🟠

Likely Case

Attackers with legitimate read-only access could escalate privileges to modify automation configurations, create unauthorized resources, or disrupt operations by altering critical settings.

🟢

If Mitigated

With proper RBAC controls, impact is limited to the specific permissions assigned to the compromised token's role, but unauthorized write operations within those permissions could still occur.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a valid read-only OAuth2 token and knowledge of backend service API endpoints. The vulnerability is in the gateway's token validation logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions specified in Red Hat advisories RHSA-2026:0360, RHSA-2026:0361, RHSA-2026:0408, RHSA-2026:0409

Vendor Advisory: https://access.redhat.com/articles/7136004

Restart Required: Yes

Instructions:

1. Review Red Hat advisories for your specific AAP components. 2. Apply all relevant patches using your package manager. 3. Restart affected AAP services (Gateway, Controller, Hub, EDA). 4. Verify token scopes are properly enforced.

🔧 Temporary Workarounds

Disable OAuth2 Token Authentication

linux

Temporarily disable OAuth2 token authentication until patches can be applied

# Modify AAP gateway configuration to disable OAuth2 tokens
# Consult AAP documentation for specific configuration changes

Restrict Network Access

linux

Limit network access to backend services to only trusted sources

# Use firewall rules to restrict access to Controller/Hub/EDA ports
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port port="PORT" protocol="tcp" accept'
sudo firewall-cmd --reload

🧯 If You Can't Patch

Implement strict network segmentation to isolate AAP backend services from untrusted networks
Monitor all API activity from read-only tokens for unexpected write operations and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check if your AAP version matches those listed in the Red Hat advisories and verify OAuth2 token scope enforcement by testing a read-only token against write API endpoints.

Check Version:

ansible --version && rpm -qa | grep ansible-automation-platform

Verify Fix Applied:

After patching, test that read-only OAuth2 tokens are properly rejected when attempting write operations on backend services.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts from read-only tokens attempting write operations
Unexpected successful write operations from tokens with read-only scopes
API audit logs showing privilege escalation patterns

Network Indicators:

Unusual API call patterns from single tokens
Write operations originating from expected read-only service accounts

SIEM Query:

source="aap_logs" AND (token_scope="read-only" AND http_method IN ("POST", "PUT", "DELETE", "PATCH"))

📊 Metadata

CVE ID: CVE-2025-14025

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-279

EPSS Score: 0.08% exploit probability (22.5th percentile)

Published: January 8, 2026

Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14025, you might also want to check these: