Issued:: 2026-01-26
Updated:: 2026-01-26

RHSA-2026:1249 - Important: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update

Synopsis

Important: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update

Type/Severity

Security Advisory Important

Topic

An update is now available for Red Hat Ansible Automation Platform 2.6

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Security Fix(es):

automation-controller: AIOHTTP HTTP Request/Response Smuggling (CVE-2025-53643)
automation-controller: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb (CVE-2025-69223)
automation-controller: Django: Algorithmic complexity in XML Deserializer leads to denial of service (CVE-2025-64460)
automation-controller: urllib3 Streaming API improperly handles highly compressed data (CVE-2025-66471)
python3.11-django: Algorithmic complexity in XML Deserializer leads to denial of service (CVE-2025-64460)
python3.11-protobuf: Unbounded recursion in Python Protobuf (CVE-2025-4565)
python3.11-urllib3: urllib3 Streaming API improperly handles highly compressed data (CVE-2025-66471)
receptor: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 (CVE-2025-61729)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Updates and fixes included:

Automation Platform

Reduced cognitive complexity in _sync_user_superuser_flag (AAP-62771)
The FEATURE_GATEWAY_IPV6_USAGE_ENABLED feature flag has been removed and IPv6 support is enabled by default (AAP-61805)
Fixed an issue preventing gateway from working in a pure IPv4 single stack environment when IPv6 is enabled (AAP-60478)
Added dedicated aap.auth_audit logger with specialized formatters and handlers (AAP-60364)
Introduced new logs for authentication events (AAP-60364)
automation-gateway has been updated to 2.6.20260121
python3.11-django-ansible-base has been updated to 2.6.20260121

Automation Platform UI

Page titles now reflect the current page content (AAP-61754)
Allow full search in resource dropdowns (AAP-57712)
Fixed an issue that occasionally showed a bad request status when navigating between different pages (AAP-56701)
Fixed filtering by name in Collections page (AAP-56529)
Fixed clear/browse button behavior in Client Certificate and Client Key (AAP-55296)
Fixed an issue where a Rulebook Activation in workers offline status could not be disabled or deleted (AAP-52714)
Fixed an issue where workflow job templates node credentials are missing after save for job template nodes that have a default credential that is promptable (AAP-52638)
Fixed an issue where the gateway UI reset the order of an auth mapping when the entity was edited by the user (AAP-52258)
Improves labels and descriptions for Authenticator Mappings details (AAP-51295)
Resolved an issue where controller unavailability rendered the entire AAP UI inaccessible (AAP-50106)
Fixed descriptions for Remotes and Remote Registries (AAP-49838)
Survey textarea "Default Answer" field now properly accepts newlines when pressing Enter (AAP-49820)
Fixed review page on Workflow Approval Nodes (AAP-49433)
Fixed editing of "Days of data to keep" value in management job schedules (AAP-48972)
Editing and saving credentials that use external credential lookup plugins (such as CyberArk) no longer fails with an error message (AAP-44813)
Fixed an issue where the SAML Service Provider extra configuration data field could not be cleared in the UI, as it would automatically reset to the default value (AAP-43661)
Resolved an issue where ad-hoc commands failed with a "Bad Request" error when using credentials configured with "Prompt on launch" for password fields (AAP-43603)
Updated modal warning message and layout when enabling a copied Rulebook Activation (AAP-42574)
automation-platform-ui has been updated to 2.6.5

Automation controller

Added runtime feature flags (AAP-62686)
automation-controller has been updated to 4.7.8
receptor has been updated to 1.6.3

Automation hub

Autocomplete attribute added to the Automation Hub API password field (AAP-59910)
automation-hub has been updated to 4.11.5
python3.11-galaxy-importer has been updated to 0.4.37
python3.11-galaxy-ng has been updated to 4.11.5
python3.11-pulpcore has been updated to 3.49.49

Event-Driven Ansible

Added x-ai-description field to the activation PATCH method (AAP-61969)
automation-eda-controller has been updated to 1.2.4

Container-based Ansible Automation Platform

Added lTLS support to lightspeed chatbot service (AAP-60900)
system-prompt was optimized for granite and openai models (AAP-60898)
Added ipv6 support (AAP-60532)
Fixed an issue where the pcp uninstall step was failing for the Ansible MCP nodes (AAP-60517)
containerized installer setup has been updated to 2.6-5

RPM-based Ansible Automation Platform

ansible-automation-platform-installer and installer setup have been updated to 2.6-4

Additional changes

ansible-core has been updated to 2.16.15
ansible-dev-tools has been updated to 26.1.0
ansible-lint has been updated to 26.1.0
ansible-navigator has been updated to 26.1.1
python3.11-botocore has been updated to 1.34.162
python3.11-django has been updated to 4.2.27
python3.11-protobuf has been updated to 4.25.8
python3.11-requests has been updated to 2.31.0
python3.11-urllib3 has been updated to 2.6.3

Solution

For details on how to apply this update, refer to Ansible Automation Platform documentation.

Affected Products

Product	Version	Arch
Red Hat Ansible Inside	1.4	x86_64
Red Hat Ansible Inside	1.4	s390x
Red Hat Ansible Inside	1.4	ppc64le
Red Hat Ansible Inside	1.4	aarch64
Red Hat Ansible Developer	1.3	x86_64
Red Hat Ansible Developer	1.3	x86_64
Red Hat Ansible Developer	1.3	s390x
Red Hat Ansible Developer	1.3	s390x
Red Hat Ansible Developer	1.3	ppc64le
Red Hat Ansible Developer	1.3	ppc64le
Red Hat Ansible Developer	1.3	aarch64
Red Hat Ansible Developer	1.3	aarch64
Red Hat Ansible Automation Platform	2.6	x86_64
Red Hat Ansible Automation Platform	2.6	x86_64
Red Hat Ansible Automation Platform	2.6	s390x
Red Hat Ansible Automation Platform	2.6	s390x
Red Hat Ansible Automation Platform	2.6	ppc64le
Red Hat Ansible Automation Platform	2.6	ppc64le
Red Hat Ansible Automation Platform	2.6	aarch64
Red Hat Ansible Automation Platform	2.6	aarch64

Updated Packages

automation-controller-4.7.8-1.el9ap.s390x.rpm
automation-controller-venv-tower-4.7.8-1.el9ap.s390x.rpm
automation-platform-ui-2.6.5-1.el9ap.noarch.rpm
automation-gateway-server-2.6.20260121-1.el9ap.noarch.rpm
python3.11-urllib3-2.6.3-1.el9ap.noarch.rpm
receptor-debugsource-1.6.3-2.el10ap.x86_64.rpm
ansible-dev-tools-26.1.0-2.el9ap.src.rpm
receptor-debuginfo-1.6.3-2.el9ap.aarch64.rpm
receptor-debugsource-1.6.3-2.el9ap.s390x.rpm
receptor-debugsource-1.6.3-2.el10ap.aarch64.rpm
receptor-debuginfo-1.6.3-2.el10ap.aarch64.rpm
ansible-automation-platform-installer-2.6-4.el9ap.noarch.rpm
python3.11-django-ansible-base-2.6.20260121-1.el9ap.noarch.rpm
python3.11-django-ansible-base+rest_filters-2.6.20260121-1.el9ap.noarch.rpm
ansible-navigator-26.1.1-2.el9ap.noarch.rpm
receptor-1.6.3-2.el10ap.x86_64.rpm
ansible-dev-tools-26.1.0-2.el10ap.noarch.rpm
python3.11-django-ansible-base+channel_auth-2.6.20260121-1.el9ap.noarch.rpm
automation-controller-4.7.8-1.el9ap.x86_64.rpm
python3.11-protobuf-debuginfo-4.25.8-1.el9ap.ppc64le.rpm
receptor-1.6.3-2.el9ap.x86_64.rpm
automation-eda-controller-base-services-1.2.4-1.el9ap.noarch.rpm
receptor-debugsource-1.6.3-2.el9ap.x86_64.rpm
python3.11-galaxy-importer-0.4.37-2.el9ap.noarch.rpm
receptor-debuginfo-1.6.3-2.el9ap.s390x.rpm
automation-controller-server-4.7.8-1.el9ap.noarch.rpm
python3.11-protobuf-debuginfo-4.25.8-1.el9ap.s390x.rpm
python3.11-django-ansible-base-2.6.20260121-1.el9ap.src.rpm
python3.11-pulpcore-3.49.49-1.el9ap.noarch.rpm
receptor-debugsource-1.6.3-2.el10ap.ppc64le.rpm
python3.11-botocore-1.34.162-1.el9ap.noarch.rpm
receptor-debugsource-1.6.3-2.el9ap.ppc64le.rpm
receptor-1.6.3-2.el10ap.ppc64le.rpm
receptor-debugsource-1.6.3-2.el10ap.s390x.rpm
python3.11-protobuf-4.25.8-1.el9ap.aarch64.rpm
receptor-1.6.3-2.el9ap.aarch64.rpm
automation-eda-controller-1.2.4-1.el9ap.src.rpm
ansible-lint-26.1.0-2.el10ap.src.rpm
python3.11-protobuf-debugsource-4.25.8-1.el9ap.ppc64le.rpm
python3.11-django-ansible-base+jwt_consumer-2.6.20260121-1.el9ap.noarch.rpm
python3.11-django-ansible-base+rbac-2.6.20260121-1.el9ap.noarch.rpm
receptor-1.6.3-2.el10ap.s390x.rpm
receptor-debuginfo-1.6.3-2.el9ap.x86_64.rpm
automation-controller-venv-tower-4.7.8-1.el9ap.x86_64.rpm
automation-eda-controller-base-1.2.4-1.el9ap.noarch.rpm
python3.11-protobuf-debugsource-4.25.8-1.el9ap.x86_64.rpm
receptor-1.6.3-2.el9ap.ppc64le.rpm
python3.11-pulpcore-3.49.49-1.el9ap.src.rpm
python-django-4.2.27-2.el10ap.src.rpm
python3.11-protobuf-4.25.8-1.el9ap.ppc64le.rpm
ansible-test-2.16.15-1.el9ap.noarch.rpm
automation-eda-controller-worker-services-1.2.4-1.el9ap.noarch.rpm
ansible-dev-tools-26.1.0-2.el10ap.src.rpm
ansible-core-2.16.15-1.el9ap.src.rpm
python3.11-django-4.2.27-2.el9ap.noarch.rpm
automation-controller-4.7.8-1.el9ap.ppc64le.rpm
automation-eda-controller-1.2.4-1.el9ap.noarch.rpm
python3.11-django-ansible-base+redis_client-2.6.20260121-1.el9ap.noarch.rpm
python3.11-django-ansible-base+resource_registry-2.6.20260121-1.el9ap.noarch.rpm
receptorctl-1.6.3-2.el9ap.noarch.rpm
automation-eda-controller-event-stream-services-1.2.4-1.el9ap.noarch.rpm
python3.11-botocore-1.34.162-1.el9ap.src.rpm
ansible-core-2.16.15-2.el10ap.noarch.rpm
ansible-dev-tools+server-26.1.0-2.el10ap.noarch.rpm
receptor-debuginfo-1.6.3-2.el10ap.ppc64le.rpm
receptor-debuginfo-1.6.3-2.el10ap.x86_64.rpm
receptor-1.6.3-2.el10ap.aarch64.rpm
python3.11-galaxy-ng-4.11.5-1.el9ap.noarch.rpm
automation-platform-ui-2.6.5-1.el9ap.src.rpm
ansible-lint-26.1.0-2.el10ap.noarch.rpm
python3.11-galaxy-ng-4.11.5-1.el9ap.src.rpm
receptor-1.6.3-2.el9ap.src.rpm
receptor-debugsource-1.6.3-2.el9ap.aarch64.rpm
automation-gateway-2.6.20260121-1.el9ap.src.rpm
ansible-navigator-26.1.1-2.el9ap.src.rpm
automation-gateway-config-2.6.20260121-1.el9ap.noarch.rpm
python3.11-protobuf-debugsource-4.25.8-1.el9ap.aarch64.rpm
ansible-core-2.16.15-2.el10ap.src.rpm
python3.11-django-ansible-base+oauth2_provider-2.6.20260121-1.el9ap.noarch.rpm
python3.11-django-ansible-base+activitystream-2.6.20260121-1.el9ap.noarch.rpm
python3.11-urllib3-2.6.3-1.el9ap.src.rpm
ansible-navigator-26.1.1-2.el10ap.noarch.rpm
ansible-lint-26.1.0-2.el9ap.src.rpm
python3.11-protobuf-4.25.8-1.el9ap.x86_64.rpm
ansible-navigator-26.1.1-2.el10ap.src.rpm
receptorctl-1.6.3-2.el10ap.noarch.rpm
ansible-core-2.16.15-1.el9ap.noarch.rpm
python3.11-protobuf-4.25.8-1.el9ap.s390x.rpm
automation-hub-4.11.5-1.el9ap.noarch.rpm
automation-hub-4.11.5-1.el9ap.src.rpm
python3.11-requests-2.31.0-3.el9ap.src.rpm
python3.11-galaxy-importer-0.4.37-2.el9ap.src.rpm
ansible-automation-platform-installer-2.6-4.el9ap.src.rpm
python3.11-protobuf-4.25.8-1.el9ap.src.rpm
python3.11-protobuf-debuginfo-4.25.8-1.el9ap.aarch64.rpm
automation-controller-4.7.8-1.el9ap.src.rpm
automation-controller-cli-4.7.8-1.el9ap.noarch.rpm
automation-controller-venv-tower-4.7.8-1.el9ap.ppc64le.rpm
receptor-debuginfo-1.6.3-2.el10ap.s390x.rpm
ansible-dev-tools-26.1.0-2.el9ap.noarch.rpm
ansible-lint-26.1.0-2.el9ap.noarch.rpm
automation-controller-4.7.8-1.el9ap.aarch64.rpm
python3.11-django-4.2.27-2.el9ap.src.rpm
python3.11-requests-2.31.0-3.el9ap.noarch.rpm
receptor-debuginfo-1.6.3-2.el9ap.ppc64le.rpm
python3.11-django-ansible-base+api_documentation-2.6.20260121-1.el9ap.noarch.rpm
automation-controller-venv-tower-4.7.8-1.el9ap.aarch64.rpm
python3.11-protobuf-debuginfo-4.25.8-1.el9ap.x86_64.rpm
automation-gateway-2.6.20260121-1.el9ap.noarch.rpm
receptor-1.6.3-2.el9ap.s390x.rpm
python3.11-django-ansible-base+feature_flags-2.6.20260121-1.el9ap.noarch.rpm
python3-django-4.2.27-2.el10ap.noarch.rpm
ansible-dev-tools+server-26.1.0-2.el9ap.noarch.rpm
receptor-1.6.3-2.el10ap.src.rpm
automation-controller-ui-4.7.8-1.el9ap.noarch.rpm
python3.11-protobuf-debugsource-4.25.8-1.el9ap.s390x.rpm
python3.11-django-ansible-base+authentication-2.6.20260121-1.el9ap.noarch.rpm

Fixes

CVEs

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.