CVE-2026-0598 - Vulnerability Details

CVE-2026-0598 - Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Ansible Automation Platform

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-0598
https://bugzilla.redhat.com/show_bug.cgi?id=2427094

History

Fri, 06 Feb 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs.
Title		Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api
First Time appeared		Redhat Redhat ansible Automation Platform
Weaknesses		CWE-283
CPEs		cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products		Redhat Redhat ansible Automation Platform
References		https://access.redhat.com/security/cve/CVE-2026-0598 https://bugzilla.redhat.com/show_bug.cgi?id=2427094
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-02-06T05:47:57.105Z

Updated: 2026-02-06T05:47:57.105Z

Reserved: 2026-01-05T07:35:27.017Z

Link: CVE-2026-0598

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-06T06:15:49.970

Modified: 2026-02-06T06:15:49.970

Link: CVE-2026-0598

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object