Product
A critical authentication bypass vulnerability (CVE-2026-12382) exists in the AAP Gateway Envoy proxy configuration within Red Hat Ansible Automation Platform 2 where the non-mTLS route to EDA event streams fails to remove the Subject HTTP header from client requests, allowing an unauthenticated remote attacker to inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.