Description
A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
Published: 2026-02-06
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-User Data Exposure and Manipulation
Action: Patch ASAP
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:ansible_automation_platform:2.6::el9
References

Fri, 06 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 06 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
Title Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-283
CPEs cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Ansible Automation Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-04T21:20:14.612Z

Reserved: 2026-01-05T07:35:27.017Z

Link: CVE-2026-0598

cve-icon Vulnrichment

Updated: 2026-02-06T15:41:40.197Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T06:15:49.970

Modified: 2026-05-04T22:16:18.913

Link: CVE-2026-0598

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-06T00:00:00Z

Links: CVE-2026-0598 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses