CVE-2026-6266

Name of the Vulnerable Software and Affected Versions Ansible Automation Platform Gateway versions 2.6 and later

Description A flaw in the AAP gateway involves the user auto-link strategy, which automatically links an external Identity Provider (IDP) identity to an existing user account based on email matching. Because the system does not verify email ownership, a remote attacker can manipulate the IDP-provided email to hijack a victim's account or gain unauthorized access to other accounts, including those with administrative privileges.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.