RHSA-2026:13545HighCVSS 9.1

Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Container Release Update

Published
May 4, 2026
Last Modified
June 3, 2026

🔗 CVE IDs covered (24)

CVE-2026-32597CVE-2026-33810CVE-2026-26007CVE-2026-33154CVE-2026-35029CVE-2026-35030CVE-2025-68121CVE-2026-6266CVE-2026-23490CVE-2026-32274 · pendingCVE-2025-69227CVE-2025-69228CVE-2026-0598CVE-2026-4926CVE-2026-24049CVE-2026-29074 · pendingCVE-2026-30922CVE-2026-31812CVE-2026-4800CVE-2026-25679CVE-2026-27137CVE-2026-27459 · pendingCVE-2026-27606 · pendingCVE-2026-32280

📋 Description

CVE-2025-68121 — crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption CVE-2025-69227 — aiohttp: aiohttp: Denial of Service via specially crafted POST request CVE-2025-69228 — aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request CVE-2026-0598 — ansible-lightspeed: Broken Object Level Authorization Leading to Cross-User AI Conversation Context Injection in Ansible Lightspeed API CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4926 — path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions CVE-2026-6266 — aap-controller: aap-gateway: Account hijacking and unauthorized access via unverified email linking CVE-2026-23490 — pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID CVE-2026-24049 — wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-26007 — cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves CVE-2026-27137 — crypto/x509: Incorrect enforcement of email constraints in crypto/x509 CVE-2026-27459 — pyOpenSSL: DTLS cookie callback buffer overflow CVE-2026-27606 — rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability CVE-2026-29074 — svgo: SVGO: Denial of Service via XML entity expansion CVE-2026-30922 — pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion CVE-2026-31812 — quinn-proto: quinn-proto: Denial of Service via crafted QUIC Initial packet CVE-2026-32274 — black: Black: Arbitrary file writes from unsanitized user input in cache file name CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32597 — pyjwt: PyJWT accepts unknown crit header extensions (RFC 7515 §4.1.11 MUST violation) CVE-2026-33154 — dynaconf: jinja2: Dynaconf: Arbitrary code execution via Server-Side Template Injection CVE-2026-33810 — crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application CVE-2026-35029 — litellm: LiteLLM: Remote code execution and privilege escalation via unrestricted proxy configuration endpoint CVE-2026-35030 — litellm: LiteLLM: Authentication bypass and privilege escalation via OIDC userinfo cache key collision

🔗 References (28)