CVE-2025-9907 - Vulnerability Details

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Ansible Automation Platform Ansible Automation Platform Developer Ansible Automation Platform Inside

No data.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:19201
https://access.redhat.com/errata/RHSA-2025:19221
https://access.redhat.com/errata/RHSA-2025:23069
https://access.redhat.com/errata/RHSA-2025:23131
https://access.redhat.com/security/cve/CVE-2025-9907
https://bugzilla.redhat.com/show_bug.cgi?id=2392834
https://nvd.nist.gov/vuln/detail/CVE-2025-9907
https://www.cve.org/CVERecord?id=CVE-2025-9907

History

Fri, 27 Feb 2026 08:00:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.
Title	event-driven-ansible: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA	Event-driven-ansible: event stream test mode exposes sensitive headers in aap eda
First Time appeared		Redhat Redhat ansible Automation Platform Redhat ansible Automation Platform Developer Redhat ansible Automation Platform Inside
CPEs		cpe:/a:redhat:ansible_automation_platform:2.5::el8 cpe:/a:redhat:ansible_automation_platform:2.5::el9 cpe:/a:redhat:ansible_automation_platform:2.6::el9 cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8 cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9 cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9 cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8 cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9 cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
Vendors & Products		Redhat Redhat ansible Automation Platform Redhat ansible Automation Platform Developer Redhat ansible Automation Platform Inside
References		https://access.redhat.com/errata/RHSA-2025:19201 https://access.redhat.com/errata/RHSA-2025:19221 https://access.redhat.com/errata/RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23131 https://access.redhat.com/security/cve/CVE-2025-9907 https://bugzilla.redhat.com/show_bug.cgi?id=2392834

Fri, 19 Sep 2025 00:15:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		event-driven-ansible: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA
Weaknesses		CWE-200
References		https://nvd.nist.gov/vuln/detail/CVE-2025-9907 https://www.cve.org/CVERecord?id=CVE-2025-9907
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-02-27T07:29:06.070Z

Updated: 2026-02-27T07:29:06.070Z

Reserved: 2025-09-03T07:44:22.984Z

Link: CVE-2025-9907

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-27T08:17:06.703

Modified: 2026-02-27T08:17:06.703

Link: CVE-2025-9907

Redhat

Severity : Moderate

Publid Date: 2025-09-17T23:59:00Z

Links: CVE-2025-9907 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object