CVE-2026-0598 - Vulnerability Details

CVE-2026-0598 - Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat Subscribe	Ansible Automation Platform Subscribe

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-0598
https://bugzilla.redhat.com/show_bug.cgi?id=2427094
https://nvd.nist.gov/vuln/detail/CVE-2026-0598
https://www.cve.org/CVERecord?id=CVE-2026-0598

History

Fri, 06 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0598 https://www.cve.org/CVERecord?id=CVE-2026-0598
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 06 Feb 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
Title		Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api
First Time appeared		Redhat Redhat ansible Automation Platform
Weaknesses		CWE-283
CPEs		cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products		Redhat Redhat ansible Automation Platform
References		https://access.redhat.com/security/cve/CVE-2026-0598 https://bugzilla.redhat.com/show_bug.cgi?id=2427094
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-02-06T05:47:57.105Z

Updated: 2026-02-06T15:42:21.423Z

Reserved: 2026-01-05T07:35:27.017Z

Link: CVE-2026-0598

Vulnrichment

Updated: 2026-02-06T15:41:40.197Z

NVD

Status : Awaiting Analysis

Published: 2026-02-06T06:15:49.970

Modified: 2026-02-06T15:14:47.703

Link: CVE-2026-0598

Redhat

Severity : Moderate

Publid Date: 2026-02-06T00:00:00Z

Links: CVE-2026-0598 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-283

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object