ByteOS Network

NVD Vulnerability Details :

CVE-2025-9908

Awaiting Analysis

Source-secalert@redhat.com

Published At-27 Feb, 2026 | 08:17

Updated At-27 Feb, 2026 | 14:06

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-200	Primary	secalert@redhat.com

CWE ID: CWE-200

Type: Primary

Source: secalert@redhat.com

References

Hyperlink	Source	Resource
https://access.redhat.com/errata/RHSA-2025:19201	secalert@redhat.com	N/A
https://access.redhat.com/errata/RHSA-2025:19221	secalert@redhat.com	N/A
https://access.redhat.com/errata/RHSA-2025:23069	secalert@redhat.com	N/A
https://access.redhat.com/errata/RHSA-2025:23131	secalert@redhat.com	N/A
https://access.redhat.com/security/cve/CVE-2025-9908	secalert@redhat.com	N/A
https://bugzilla.redhat.com/show_bug.cgi?id=2392835	secalert@redhat.com	N/A