CVE-2026-12382 in Ansible Automation Platforminfo

Summary

by MITRE • 07/15/2026

A flaw was found in the AAP Gateway Envoy proxy configuration. The non-mTLS route to EDA event streams does not remove the Subject HTTP header from client requests, despite the source code defining requestHeadersToRemove for this header. An unauthenticated remote attacker can inject a spoofed Subject header matching a legitimate client certificate DN to bypass mTLS authentication and inject arbitrary events into protected EDA event streams.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability resides within the AAP Gateway Envoy proxy configuration where a critical misconfiguration allows unauthorized access to Event Driven Architecture EDA event streams through improper handling of HTTP headers. The flaw specifically manifests in the non-mTLS route implementation where the Subject HTTP header from client requests is not properly stripped despite the source code explicitly defining requestHeadersToRemove for this particular header. This represents a fundamental failure in the proxy's security enforcement mechanisms and constitutes a serious weakness in the authorization framework that governs access to protected event streams.

The technical implementation flaw stems from the mismatch between the defined security configuration parameters and their actual operational behavior within the Envoy proxy environment. When the requestHeadersToRemove directive is configured to remove the Subject header, it should effectively eliminate any possibility of header injection attacks that could manipulate authentication flows. However, the current implementation fails to execute this removal process correctly in non-mTLS routes, creating an exploitable gap where malicious actors can leverage spoofed Subject headers that match legitimate client certificate distinguished names. This creates a scenario where authentication bypass becomes possible through simple HTTP header manipulation.

The operational impact of this vulnerability extends beyond simple access control compromise as it enables arbitrary event injection into protected EDA streams without proper authentication. An unauthenticated remote attacker can craft malicious requests containing spoofed Subject headers that appear to originate from legitimate clients with valid certificates, thereby circumventing the mTLS authentication mechanisms that should protect these critical event streams. This vulnerability essentially undermines the entire security model of the gateway by allowing attackers to inject events that appear to come from authenticated sources, potentially leading to data corruption, unauthorized access to downstream services, and disruption of normal operational flows.

The security implications align with CWE-441 Unintended Proxy or Intermediary which describes scenarios where intermediaries fail to properly validate or sanitize headers, and also relate to CWE-285 Improper Authorization indicating a failure in enforcing proper access controls. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as attackers can leverage the spoofed Subject header to appear as legitimate users while potentially bypassing security monitoring systems that rely on certificate-based authentication. The attack vector represents a sophisticated form of credential theft through header manipulation rather than traditional account compromise.

Mitigation strategies should focus on immediate configuration corrections within the Envoy proxy to ensure that requestHeadersToRemove directives are properly enforced across all route types including non-mTLS paths. Organizations must implement comprehensive header validation mechanisms and regular security testing of proxy configurations to identify similar discrepancies between defined security policies and actual implementation behavior. Additionally, implementing strict header sanitization at multiple layers of the network stack and deploying monitoring solutions that can detect unusual Subject header patterns will help prevent exploitation of this vulnerability while ensuring proper enforcement of mTLS authentication requirements for all event stream access attempts.

Responsible

Redhat

Reservation

06/16/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!