{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aap-gateway-envoy-proxy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-12382"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Red Hat Ansible Automation Platform 2","AAP Gateway Envoy proxy"],"_cs_severities":["high"],"_cs_tags":["cve","authentication-bypass","red-hat","ansible","proxy","envoy"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA significant security flaw, tracked as CVE-2026-12382, has been identified in the AAP Gateway Envoy proxy configuration that is part of Red Hat Ansible Automation Platform 2. This vulnerability stems from a misconfiguration where the non-mTLS route for EDA event streams does not correctly remove the \u003ccode\u003eSubject\u003c/code\u003e HTTP header from client requests, despite being defined in the \u003ccode\u003erequestHeadersToRemove\u003c/code\u003e directive. This oversight allows an unauthenticated remote attacker to craft and inject a spoofed \u003ccode\u003eSubject\u003c/code\u003e header that matches a legitimate client certificate Distinguished Name (DN). By doing so, the attacker can effectively bypass mutual TLS (mTLS) authentication mechanisms, thereby gaining unauthorized access to inject arbitrary events into sensitive EDA event streams. This presents a critical risk to the integrity and confidentiality of data processed by Red Hat Ansible Automation Platform 2 deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies a vulnerable Red Hat Ansible Automation Platform 2 instance exposed via its AAP Gateway Envoy proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the non-mTLS route configured for EDA event streams.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specially forged \u003ccode\u003eSubject\u003c/code\u003e HTTP header designed to impersonate a legitimate client certificate's Distinguished Name (DN).\u003c/li\u003e\n\u003cli\u003eThe AAP Gateway Envoy proxy receives the request, but due to the configuration flaw, it fails to remove the injected \u003ccode\u003eSubject\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe proxy processes the request, incorrectly validating the spoofed \u003ccode\u003eSubject\u003c/code\u003e header as a legitimate mTLS authentication, thereby bypassing the intended security controls.\u003c/li\u003e\n\u003cli\u003eWith authentication bypassed, the attacker successfully gains unauthorized access to the protected EDA event streams.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to inject arbitrary, potentially malicious, events into these EDA event streams, compromising data integrity or triggering unintended actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-12382 allows an unauthenticated remote attacker to bypass mTLS authentication, enabling unauthorized access to protected EDA event streams within Red Hat Ansible Automation Platform 2 environments. The primary impact is the compromise of data integrity and potentially data confidentiality, as the attacker can inject arbitrary events into these streams. This could lead to a variety of consequences, including data corruption, unauthorized system commands being executed if event streams are tied to automation, or the disruption of critical business processes dependent on the accuracy and security of these event streams. The broad nature of \u0026quot;arbitrary events\u0026quot; implies a high degree of control over the affected system's event processing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-12382 on all affected Red Hat Ansible Automation Platform 2 installations by applying the latest security updates from Red Hat.\u003c/li\u003e\n\u003cli\u003eReview Red Hat Ansible Automation Platform 2 \u003ccode\u003eAAP Gateway Envoy proxy\u003c/code\u003e configurations to ensure the \u003ccode\u003eSubject\u003c/code\u003e HTTP header is correctly removed from non-mTLS routes to EDA event streams.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic and webserver logs for \u003ccode\u003eRed Hat Ansible Automation Platform 2\u003c/code\u003e for anomalous \u003ccode\u003eSubject\u003c/code\u003e HTTP headers in requests, particularly those directed towards \u003ccode\u003eEDA event streams\u003c/code\u003e or unauthenticated endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:18:16Z","date_published":"2026-07-15T18:18:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-12382-aap-gateway-bypass/","summary":"A critical authentication bypass vulnerability (CVE-2026-12382) exists in the AAP Gateway Envoy proxy configuration within Red Hat Ansible Automation Platform 2 where the non-mTLS route to EDA event streams fails to remove the Subject HTTP header from client requests, allowing an unauthenticated remote attacker to inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.","title":"CVE-2026-12382 - AAP Gateway Envoy Proxy Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-12382-aap-gateway-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - AAP Gateway Envoy Proxy","version":"https://jsonfeed.org/version/1.1"}