SB2026040164 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040164

SB2026040164 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages

Published: April 1, 2026

Security Bulletin ID SB2026040164
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 27% Medium 64% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2026-24049)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in wheel unpack. A remote attacker can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files.


2) Resource exhaustion (CVE-ID: CVE-2026-23490)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling RELATIVE-OID with excessive continuation octets. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Cross-site scripting (CVE-ID: CVE-2026-22029)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Improper handling of highly compressed data (CVE-ID: CVE-2025-69223)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the application does not properly handle highly compressed data within the auto_decompress feature. A remote attacker can send a specially crafted compressed HTTP request to the server and consume all available memory resources. 


5) SQL injection (CVE-ID: CVE-2026-1312)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.order_by() method. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


6) SQL injection (CVE-ID: CVE-2026-1287)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list(), and alias().. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


7) Resource exhaustion (CVE-ID: CVE-2026-1285)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and truncatechars_html and truncatewords_html template filters. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


8) SQL injection (CVE-ID: CVE-2026-1207)

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed as a band index to raster lookups on GIS fields (only implemented on PostGIS). A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


9) Resource exhaustion (CVE-ID: CVE-2025-14550)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when using ASGIRequest. A remote attacker can send multiple requests with duplicated HTTP headers to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


10) Uncontrolled recursion (CVE-ID: CVE-2026-0994)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to uncontrolled recursion in within the google.protobuf.json_format.ParseDict(). A remote attacker can pass specially crafted input to the application and perform a denial of service attack. 


11) Resource exhaustion (CVE-ID: CVE-2025-61726)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the Request.ParseForm method in net/http when parsing a URL-encoded form. A remote attacker can pass an overly large request with a large number of key-value pairs and consume all available memory on the system. 


Remediation

Install update from vendor's website.

References