This advisory covers several security vulnerabilities in Red Hat Ansible Automation Platform 2.6, notably CVE-2025-4565 (unbounded recursion in python3.11-protobuf), CVE-2025-53643 (AIOHTTP HTTP request/response smuggling), CVE-2025-61729 (excessive resource consumption in receptor), CVE-2025-64460 (algorithmic complexity in Django XML deserializer causing denial of service), CVE-2025-66471 (urllib3 streaming API mishandling highly compressed data), and CVE-2025-69223 (AIOHTTP zip bomb vulnerability). The update includes patches for these vulnerabilities and additional bug fixes and feature improvements across the automation-controller, UI, hub, event-driven Ansible, and container-based platform components.

The vulnerabilities could lead to denial of service conditions, resource exhaustion, and potential manipulation of HTTP request/response handling within the affected components of the Ansible Automation Platform. These issues affect core components such as automation-controller, Django framework, protobuf handling, urllib3 streaming, and receptor certificate validation. Exploitation could disrupt automation workflows and platform stability.

Red Hat has released an official security update (RHSA-2026:1249) that addresses all listed vulnerabilities. Users of Red Hat Ansible Automation Platform 2.6 should apply the provided update promptly. The advisory includes updated packages for automation-controller, python3.11-django, python3.11-protobuf, python3.11-urllib3, receptor, and other platform components. Follow the official Red Hat Ansible Automation Platform documentation for applying these updates. No additional mitigation steps are indicated beyond applying the official patches.