Red Hat · Ansible Automation Platform Gateway · CVE-2026-6266
**Name of the Vulnerable Software and Affected Versions**
Ansible Automation Platform Gateway versions 2.6 and later
**Description**
A flaw in the AAP gateway involves the user auto-link strategy, which automatically links an external Identity Provider (IDP) identity to an existing user account based on email matching. Because the system does not verify email ownership, a remote attacker can manipulate the IDP-provided email to hijack a victim's account or gain unauthorized access to other accounts, including those with administrative privileges.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.