Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2025-9909

Use of Non-Canonical URL Paths for Authorization Decisions

Published: Feb 27, 2026 | Modified: Feb 27, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.7 MODERATE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ubuntu
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-9909
CWEhttps://cwe.mitre.org/data/definitions/647.html

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or socially engineered administrator can configure a honey-pot route to intercept and exfiltrate user credentials, potentially maintaining persistent access or creating a backdoor even after their permissions are revoked.

Weakness

The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

Affected Software

NameVendorStart VersionEnd Version
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-builder-0:3.1.1-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-creator-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-dev-environment-0:25.12.2-1.1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-dev-tools-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-lint-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-navigator-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatansible-sign-0:0.1.4-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatautomation-gateway-0:2.5.20251210-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatautomation-hub-0:4.10.10-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatbindep-0:2.13.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatmolecule-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-ansible-compat-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-distlib-0:0.4.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-django-0:4.2.26-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-execnet-0:2.1.2-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-galaxy-importer-0:0.4.36-2.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-galaxy-ng-0:4.10.10-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-gunicorn-0:23.0.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-pluggy-0:1.6.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-pytest-0:9.0.1-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-pytest-ansible-0:25.12.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-pytest-xdist-0:3.8.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-ruamel-yaml-clib-0:0.2.15-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-subprocess-tee-0:0.4.2-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-tox-ansible-0:25.12.0-1.2.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatpython3.11-typing-extensions-0:4.15.0-1.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-builder-0:3.1.1-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-creator-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-dev-environment-0:25.12.2-1.1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-dev-tools-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-lint-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-navigator-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatansible-sign-0:0.1.4-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatautomation-gateway-0:2.5.20251210-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatautomation-hub-0:4.10.10-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatbindep-0:2.13.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatmolecule-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-ansible-compat-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-distlib-0:0.4.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-django-0:4.2.26-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-execnet-0:2.1.2-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-galaxy-importer-0:0.4.36-2.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-galaxy-ng-0:4.10.10-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-gunicorn-0:23.0.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-pluggy-0:1.6.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-pytest-0:9.0.1-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-pytest-ansible-0:25.12.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-pytest-xdist-0:3.8.0-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-ruamel-yaml-clib-0:0.2.15-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-subprocess-tee-0:0.4.2-1.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-tox-ansible-0:25.12.0-1.2.el9ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatpython3.11-typing-extensions-0:4.15.0-1.el9ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 9RedHatautomation-gateway-0:2.6.20251119-1.el9ap*
Red Hat Ansible Automation Platform 2.5RedHatansible-automation-platform-25/gateway-rhel8:sha256:1873ff17834c924950fc5055c75b8aa99d430cf41ade6f67ff54e31bd243493e*
Red Hat Ansible Automation Platform 2.6RedHatansible-automation-platform-26/gateway-rhel9:sha256:d6bd83a65b6a0ca9cead0652736c51dd1ab02fc8d9ee2a5c19e413a5239c0cb7*

Extended Description

If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as:

Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use