Skip to content
Threat Feed
high advisory

CVE-2026-12382 - AAP Gateway Envoy Proxy Authentication Bypass

A critical authentication bypass vulnerability (CVE-2026-12382) exists in the AAP Gateway Envoy proxy configuration within Red Hat Ansible Automation Platform 2 where the non-mTLS route to EDA event streams fails to remove the Subject HTTP header from client requests, allowing an unauthenticated remote attacker to inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.

A significant security flaw, tracked as CVE-2026-12382, has been identified in the AAP Gateway Envoy proxy configuration that is part of Red Hat Ansible Automation Platform 2. This vulnerability stems from a misconfiguration where the non-mTLS route for EDA event streams does not correctly remove the Subject HTTP header from client requests, despite being defined in the requestHeadersToRemove directive. This oversight allows an unauthenticated remote attacker to craft and inject a spoofed Subject header that matches a legitimate client certificate Distinguished Name (DN). By doing so, the attacker can effectively bypass mutual TLS (mTLS) authentication mechanisms, thereby gaining unauthorized access to inject arbitrary events into sensitive EDA event streams. This presents a critical risk to the integrity and confidentiality of data processed by Red Hat Ansible Automation Platform 2 deployments.

Attack Chain

  1. An unauthenticated remote attacker identifies a vulnerable Red Hat Ansible Automation Platform 2 instance exposed via its AAP Gateway Envoy proxy.
  2. The attacker crafts a malicious HTTP request targeting the non-mTLS route configured for EDA event streams.
  3. The crafted request includes a specially forged Subject HTTP header designed to impersonate a legitimate client certificate's Distinguished Name (DN).
  4. The AAP Gateway Envoy proxy receives the request, but due to the configuration flaw, it fails to remove the injected Subject header.
  5. The proxy processes the request, incorrectly validating the spoofed Subject header as a legitimate mTLS authentication, thereby bypassing the intended security controls.
  6. With authentication bypassed, the attacker successfully gains unauthorized access to the protected EDA event streams.
  7. The attacker proceeds to inject arbitrary, potentially malicious, events into these EDA event streams, compromising data integrity or triggering unintended actions.

Impact

Successful exploitation of CVE-2026-12382 allows an unauthenticated remote attacker to bypass mTLS authentication, enabling unauthorized access to protected EDA event streams within Red Hat Ansible Automation Platform 2 environments. The primary impact is the compromise of data integrity and potentially data confidentiality, as the attacker can inject arbitrary events into these streams. This could lead to a variety of consequences, including data corruption, unauthorized system commands being executed if event streams are tied to automation, or the disruption of critical business processes dependent on the accuracy and security of these event streams. The broad nature of "arbitrary events" implies a high degree of control over the affected system's event processing.

Recommendation

  • Patch CVE-2026-12382 on all affected Red Hat Ansible Automation Platform 2 installations by applying the latest security updates from Red Hat.
  • Review Red Hat Ansible Automation Platform 2 AAP Gateway Envoy proxy configurations to ensure the Subject HTTP header is correctly removed from non-mTLS routes to EDA event streams.
  • Monitor network traffic and webserver logs for Red Hat Ansible Automation Platform 2 for anomalous Subject HTTP headers in requests, particularly those directed towards EDA event streams or unauthenticated endpoints.