The vulnerability CVE-2026-6266 affects the Red Hat Ansible Automation Platform 2.6 for RHEL 9 and 10. It arises from the user auto-link strategy in the AAP gateway, which automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying that the user owns the email address. This lack of verification enables a remote attacker to hijack victim accounts or gain unauthorized access to other accounts, including those with administrative privileges, by supplying a manipulated email address via the IDP. Red Hat has released security updates as part of RHSA-2026:13508 that fix this issue. The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), reflecting network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, and high confidentiality and integrity impact with low availability impact.

Successful exploitation allows remote attackers to bypass authentication controls by exploiting the unverified email linking mechanism, potentially resulting in account hijacking and unauthorized access to user and administrative accounts. This compromises confidentiality and integrity of the affected system and data. The vulnerability affects Red Hat Ansible Automation Platform 2.6 for RHEL 9 and 10. There are no known exploits in the wild at the time of this advisory.

Red Hat has released an official security update (RHSA-2026:13508) that addresses this vulnerability. Users of Red Hat Ansible Automation Platform 2.6 for RHEL 9 and 10 should apply the provided updates promptly to remediate the issue. Refer to the Red Hat advisory at https://access.redhat.com/errata/RHSA-2026:13508 and the CVE page https://access.redhat.com/security/cve/CVE-2026-6266 for detailed instructions on applying the fix. No additional mitigation steps are indicated beyond applying the official patch.