Red Hat SummitChapter 9. Patch releases
Security, bug fixes, and enhancements for Ansible Automation Platform 2.6 are released as asynchronous erratas. All Ansible Automation Platform erratas are available on the Download Red Hat Ansible Automation Platform page.
As a Red Hat Customer Portal user, you can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, you receive notifications through email whenever new erratas relevant to your registered systems are released.
Red Hat Customer Portal user accounts must have systems registered and consuming Ansible Automation Platform entitlements for Ansible Automation Platform errata notification emails to generate.
The patch releases section of the release notes will be updated over time to give notes on enhancements and bug fixes for patch releases of Ansible Automation Platform 2.6.
9.1. Ansible Automation Platform patch release November 19, 2025
This release includes the following components and versions:
| Release Date | Component versions |
|---|---|
| November 19, 2025 |
|
CSV Versions in this release:
- Namespace: aap-operator.v2.6.0-0.1763137334
- Cluster: aap-operator.v2.6.0-0.1763137355
9.1.1. CVE
With this update, the following CVEs have been addressed:
-
CVE-2025-9909
automation-gateway: improper path validation in gateway allows credential exfiltration.(AAP-53584) -
CVE-2025-59530
receptor:quic-gocrash due to prematureHANDSHAKE_DONEframe.(AAP-55973)
9.1.2. Ansible Automation Platform
9.1.2.1. Features
-
Allows for Event-Driven Ansible to add CA Certificates in gateway which can then be used by Envoy to do certificate based authorization for mTLS
EventStreams.(AAP-56770)
9.1.2.2. Enhancements
- Red Hat Ansible Lightspeed section has been removed from the left navigation bar.(AAP-53006)
Added fallback-authenticator feature, which allows users to configure
fallback_authenticationfor running custom logic in the event local authentication fails.- Set all existing local authenticators and those created on initial install to fallback to controller credentials.
- The ability to clear the preset if the user does not want to fallback to controller authorization anymore.(AAP-56919)
Ansible Lightspeed intelligent assistant has expanded its support for third-party Large Language Model (LLM) providers, and now includes OpenAI and Microsoft Azure. Third-party LLM support is available for both OpenShift Container Platform operator installation and containerized installation.
- For more information, see Deploying the Ansible Lightspeed intelligent assistant on Red Hat OpenShift Container Platform and Deploying the Ansible Lightspeed intelligent assistant on containerized installation.(ANSTRAT-1673)
9.1.2.3. Bug Fixes
- Fixed a significant performance regression in response time for GET requests to /role_definitions/ and related endpoints.(AAP-56868)
- Fixed an issue where users who existed in Ansible Automation Platform 2.5 with controller legacy authentication, but never logged in were unable to attempt authentication with controller in Ansible Automation Platform 2.6, and were left in an unusable state.(AAP-56388)
-
Fixed issue in which superuser status would sync from platform gateway to other components if set to
True, but not if set toFalse, where administrator privileges were not removed from the other components in all cases.(AAP-56296) - Fixed an issue where platform auditors were not able to view all platform level settings.(AAP-55608)
- Fixed an issues where the Team input field on the authentication mapping form was not hidden when an organization role was selected.(AAP-55602)
- Fixed an issue where the workflow visualizer CSS was displaying the incorrect height.(AAP-55164)
- Fixed an issue using the and condition with multiple attributes. Previously the authentication map would skip the missing attributes, now, the map will be applied only if all attributes are present and the condition(s) are met.(AAP-53612)
-
Fixed an issue where the
LOGIN_REDIRECT_OVERRIDEdid not allow for a bypass URL. A login page has been added at /login to bypass theLOGIN_REDIRECT_OVERRIDEsetting when it is misconfigured.(AAP-53471) - Fixed the Subscription Usage chart where it did not always display at full height.(AAP-52218)
- Fixed an issue that was preventing users from viewing complete survey question choices that contained a colon.(AAP-50290)
- Fixed an issue where a warning message was not available when a user tried to restart an activation in the workers offline status.(AAP-24009)
- Fixed an issue where filtering platform resources by special characters did not work as expected.(AAP-52360)
- Fixed an issue where, applying a domains filter on the Jobs tab and navigating to the Projects section, then selecting a project with multiple templates, caused the system to display only the job template that was filtered by the domain, hiding other templates and showing a misleading message.(AAP-48031)
- Fixed an issue where there was no limit filtering to the jobs page.(AAP-45218)
- Fixed a form validation issue on the Login redirect override field in platform gateway settings.(AAP-40517)
- Fixed an execution environment deletion warning.(AAP-55135)
9.1.3. Red Hat Ansible Lightspeed
9.1.3.1. Features
- Added support for 3rd party model providers OpenAI.(AAP-58291)
- Added support for 3rd party model providers Azure.(AAP-58290)
9.1.3.2. Enhancements
- Upgraded Lightspeed Core Stack to 0.3.0.(AAP-55681)
-
Added ALIA support
lightspeed-stack0.3.0 andllama-stack0.2.22.(AAP-58136) -
Upgraded Ansible Lightspeed intelligent assistant to
Lightspeed-core0.3.0.(AAP-56629) - Added ALIA support for Azure provider.(AAP-56511)
- Added ALIA support for OpenAI provider.(AAP-56509)
-
Made changes required to support
llama-stack0.2.22.(AAP-58361)
9.1.3.3. Bug Fixes
-
Fixes an issue where the Red Hat Ansible Lightspeed assistant returned raw
tool_callJSON instead of natural language answers due to improper processing in Ansible Automation Platform 2.6 with granite-3.3-8b. This compromised user experience by exposing internal details.(AAP-57513) - Fixed an issue where the user would be scrolled to the bottom of the chat history if they clicked thumbs up/thumbs down on a previous message.(AAP-58438)
-
Fixed an issue where during the upgrade of
chatbot-api, the new one is stuck in pending state waiting until PVC is removed.(AAP-57376)
9.1.3.4. Known Issues
- If you are using an IBM Granite 3.3 AI model series in your Ansible Lightspeed intelligent assistant deployment, there may be a delay of ~1 minute in receiving a chat response. As a workaround, restart the chat session.(AAP-58186)
9.1.4. Automation controller
9.1.4.1. Features
- Receptor collection version updated to 2.0.6, which is compatible with ansible-core 2.19.(AAP-42617)
9.1.4.2. Bug Fixes
- Fixed an issue where the migrating team mappers which did not include a users field is now supported.(AAP-56395)
-
Fixed the following migration error for the migration
0200_template_name_constraint.pywhen there was a job template or project with duplicate name in the same organization.(AAP-56222)
Error Message
django.db.utils.ProgrammingError: column main_unifiedjobtemplate.org_unique does not exist
django.db.utils.ProgrammingError: column main_unifiedjobtemplate.org_unique does not exist-
Fixed an issue where some edge cases caused JSON to fail to parse a line from the worker stream with the error: Expecting value: line 1 column 1 (char 0) Line with invalid JSON data: b. Updated the pinned version for
receptorctlin automation controller to address this issue. This effects Tower 4.7.(AAP-58412) -
Fixed an issue where some edge cases caused JSON to fail to parse a line from the worker stream with the error: Expecting value: line 1 column 1 (char 0) Line with invalid JSON data: b. Updated the pinned version for
receptorctlin automation controller to address this issue. This effects Tower 4.6.(AAP-58415) -
Fixed an issue where there was not a meaningful error message whenever the streaming of logs was aborted. Update
ansble-runnerto 2.4.2 to address this issue.(AAP-58390) -
Fixes an issue where jobs failed on
fapolicydenabled systems where python3.9 was not installed by default. Updatesautomation-controller-fapolicydfrom python3.9 to python3.11 to address this issue.(AAP-55790)
9.1.5. Automation hub
9.1.5.1. Bug Fixes
-
Fixed an upgrade error,
AttributeErrororValueError, content type mismatch in the migration that happens when upgrading if any role is assigned to a group globally before the migration.(AAP-58299)
9.1.6. Container-based Ansible Automation Platform
9.1.6.1. Enhancements
- Added ALIA support lightspeed-stack 0.3.0 and llama-stack 0.2.22.(AAP-58295)
- Added ALIA support for Azure provider.(AAP-58206)
- Added ALIA support for OpenAI provider.(AAP-58197)
9.1.6.2. Bug Fixes
- Fixed a compatibility issue with PostgreSQL 17 when using an external database and admin credentials.(AAP-57431)
- Fixed an issue with the chatbot response about the latest Ansible Automation Platform version.(AAP-57385)
- Fixed an issue with the monitoring image on Red Hat Ansible Lightspeed nodes when using the bundle deployment.(AAP-57167)
9.1.7. RPM-based Ansible Automation Platform
9.1.7.1. Enhancements
Event-Driven Ansible event-stream mTLS configuration added to installer.(AAP-46070)
9.1.7.2. Bug Fixes
- Fixed an issue where the installer failed during the execution environment image upload when there was no automation hub node in inventory.(AAP-56892)
Fixed an issue with extra log content. platform gateway logs in /var/log/ansible-automation-platform/gateway have been refactored, there is now more separation of the logs for various components:
-
control-plane-supervisor.log ← Messages from
supervisorctlabout the control-plane (new) - control-plane.log ← Django logs for the control-plane (new, extracted from gateway.log)
- gateway.log ← Django logs for gateway (existing, had items removed)
- uwsgi.log ← UWSGI logs for the {Gateeway} (new, extracted from gateeay.log)
- envoy.log ← The proxy log (existing, unchanged).(AAP-30549)
-
control-plane-supervisor.log ← Messages from
9.1.8. Event-Driven Ansible
9.1.8.1. Features
- Enhancement to support mTLS event streams.(AAP-57375)
- Added the ca_certificates module and the enable_mtls attribute to route objects.(AAP-48345)
- Added a credential type for mTLS event stream.(AAP-46054)
9.1.8.2. Enhancements
- Event-Driven Ansible event-stream mTLS configuration added to the installer,(AAP-57434)
9.1.9. Receptor
9.1.9.1. Features
- Addresses edge cases that could cause JSON failure to parse a line from the worker stream. It also raises the versions of go dependencies and other minor functionality changes.(AAP-57253)
9.2. Ansible Automation Platform patch release November 5, 2025
This release includes the following components and versions:
| Release Date | Component versions |
|---|---|
| November 5, 2025 |
|
CSV Versions in this release:
- Namespace-scoped Bundle: aap-operator.v2.6.0-0.1761384532
- Cluster-scoped Bundle: aap-operator.v2.6.0-0.1761384578
9.2.1. Red Hat Ansible Lightspeed
9.2.1.1. Bug Fixes
-
A typo in the
containerfilecaused the nginx configuration file to be copied to a non-existent directory in operator-based installations, leading to the Lightspeed API service being unavailable due to incorrect port configuration. With this release, the typo has been fixed, ensuring the Lightspeed API service now listens on the correct port in operator-based installations, improving API endpoint accessibility.(AAP-56712)
9.2.2. Technical note
9.2.2.1. Red Hat Ansible Lightspeed
RFC 2818 is now enforced between the lightspeed service and the identity provider (gateway) during the OAuth2 authorisation.
9.2.3. Container-based Ansible Automation Platform
9.2.3.1. Bug Fixes
- Fixed an issue with the chatbot response about the latest Ansible Automation Platform version.(AAP-57385)
9.3. Ansible Automation Platform patch release October 28, 2025
This release includes the following components and versions:
| Release Date | Component versions |
|---|---|
| October 28, 2025 |
|
CSV Versions in this release:
- Namespace: aap-operator.v2.6.0-0.1762261205
- Cluster: aap-operator.v2.6.0-0.1762261209
9.3.1. CVE
With this update, the following CVEs have been addressed:
CVE-2025-59682 python-django: Potential partial directory-traversal via archive.extract().(AAP-54755)
CVE-2025-9908 event-driven-ansible: Sensitive internal headers disclosure in Ansible Automation Platform Event-Driven Ansible event streams.(AAP-53582)
CVE-2025-9907 event-driven-ansible: Event stream test mode exposes sensitive headers in Ansible Automation Platform Event-Driven Ansible.(AAP-53580)
CVE-2025-59343 automation-platform-ui: tar-fs symlink validation bypass.(AAP-54392)
CVE-2025-58754 automation-platform-ui: Axios DoS via lack of data size check.(AAP-53718)
9.3.2. Ansible Automation Platform
9.3.2.1. Features
- Added a step in the subscription wizard that allows the user to configure automation analytics.(AAP-55094)
- Added two new toggle options on the subscription wizard to allow for fetching subscriptions using basic authentication.(AAP-47865)
9.3.2.2. Bug Fixes
-
Fixed an issue where the
ansible-builderandansible-navigatordid not use execution environment images from ansible-automation-platform-26 namespace by default.(AAP-54934) - Fixed an issue where the settings did not display Red Hat consistently in the API and UI.(AAP-54276)
- Fixed an issue where the decision environment dropdown was broken. Replaced the dropdown type for decision environments in the rulebook activation form so that when there are no decision environments available, the dropdown displays No results found instead of an empty dropdown.(AAP-53844)
-
Fixed an issue where creating resources with
cookie/xcrftoken failed. Aligned dependency versions between Konflux build and component repository.(AAP-53561) - Fixed an issue where the component label for the Platform Auditor role did not display all components.(AAP-53551)
- Fixed an issue where empty strings were displayed in the extra variables field on the Jobs > Details page.(AAP-49448)
- Fixed an issue where the Load More in authentication mapping role dropdown did not work.(AAP-54049) HubName
- Fixed an issue where the user was unable to create Event-Driven Ansible or automation hub roles when creating a custom role and selecting the Automation Decisions project or credential types because the UI displayed only the automation controller permissions.(AAP-54756) ControllerName
- Fixed an issue where the PatternFly 6 Upgrade broke the Ansible Automation Platform topology layout and fullscreen mode.(AAP-51106)
-
Fixed an issue where some fields were missing
autocomplete = new-passwordsetting.(AAP-55783) - Fixed an issue where the user was unable to select the default execution environment in the automation settings page.(AAP-39321)
-
Fixed an issue where the LDAP Group Type parameters failed to save user preferences when the language was initially set to
es_ES, resulting in a wrong version displayed on the user interface due to an uninitialized translation object.(AAP-56356) - Fixed an issue that prevented SAML and AzureAD authentication when local user accounts share the same email address.(AAP-56518)
9.3.2.3. Deprecated
- Subscription credentials can no longer be viewed/edited from the system settings page.(AAP-55014)
9.3.3. Ansible Automation Platform Operator
9.3.3.1. Bug Fixes
- Fixed an issue where the Ansible Lightspeed API version did not work during Ansible Automation Platform idle.(AAP-54174)
- Fixed an issue that caused a failure to gather the job data from the controller API.(AAP-55632)
- Fixed a bug where the user could set an image without the respective version, causing the installation to enter an error loop.(AAP-55642)
- Fixed an issue where the backup and restore Ansible Automation Platform instance failed, from cluster A to cluster B, when restoring an upgraded AAP environment from 2.4.(AAP-55648)
9.3.4. Red Hat Ansible Lightspeed
9.3.4.1. Features
Ability to deploy Red Hat Ansible Lightspeed on new containerized installations of Ansible Automation Platform 2.6
You can deploy and use Red Hat Ansible Lightspeed when you install or upgrade to a containerized installation of Ansible Automation Platform 2.6.
Red Hat Ansible Lightspeed includes two main components that enhance your automation experience with generative artificial intelligence (AI):
Ansible Lightspeed intelligent assistant, which is an AI-powered, intuitive chat interface embedded within the Ansible Automation Platform.
The integration of Red Hat Ansible Lightspeed intelligent assistant with the Model Context Protocol (MCP) server is available as a Technology Preview release. This integration enhances the user experience by delivering relevant, dynamically sourced data results to your queries.
Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Ansible Lightspeed coding assistant, which is a generative AI service that works with IBM watsonx Code Assistant to help developers create and maintain Ansible content more efficiently.
For more information, see Deploying Red Hat Ansible Lightspeed on containerized Ansible Automation Platform in the containerized install user guide.
9.3.4.2. Enhancements
-
Added
postgres_extra_settingsto Ansible Automation Platform operators to apply PostgreSQL configuration file level changes to managed postgres.(AAP-55053)
9.3.5. Automation controller
9.3.5.1. Enhancements
- Added support for Red Hat username and password for the subscription management API.(AAP-54975)
9.3.5.2. Bug Fixes
-
Fixes the
system_administratorrole creation race condition which most commonly happened on new Openshift deployments resulting in the default instance group not being created.(AAP-54963) - Fixed an issue where the Controller container file was missing the metrics utility in version 2.6.(AAP-54948)
-
Fixed an issue where the
awx.awx.licenseappeared to succeed when given an invalid pool/subscription.(AAP-54768) -
Fixed an issue where the
ansible.platformcollection did not work with the default Red Hat Ansible Automation Platform credential type.(AAP-41000) -
Fixed an issue where there was a duplicate value (
subsystem_metrics_pipe_execute_seconds) detected under api/controller/v2/metrics/ on Ansible Automation Platform 2.5.(AAP-55621) - Fixed an issue where the platform auditor did not have access to controller settings.(AAP-55607)
9.3.6. Automation hub
9.3.6.1. Enhancements
- Fixed an HTTP 500 error when getting /api/galaxy/_ui/v2/users/3/.(AAP-54260)
9.3.6.2. Bug Fixes
- Fixed an HTTP 500 error when getting /api/galaxy/_ui/v2/users/3/.(AAP-54260)
9.3.7. Container-based Ansible Automation Platform
9.3.7.1. Enhancements
- Implemented preflight ansible-core version validation.(AAP-54932)
9.3.7.2. Bug Fixes
-
Fixed an issue where
REDHAT_CANDLEPIN_VERIFYwas not being used for the correct CA permissions so that the controller could not make requests to subscription.rhsm.redhat.com.(AAP-55180)
9.3.8. RPM-based Ansible Automation Platform
9.3.8.1. Bug Fixes
-
Fixed an issue where setting
automationgateway_disable_https=falseresulted in install failure.(AAP-55466) -
Fixed an issue where
RESOURCE_KEY SECRET_KEYwas not updated when restoring from a different environment.(AAP-54942) - Fixed an issue where Event-Driven Ansible DE credentials failed to populate on initial installation.(AAP-54519)
Fixed an issue where the envoy.log for automation gateway did not receive logs after it was rotated.(AAP-51779)
Fixed an issue where REDHAT_CANDLEPIN_VERIFY was not being used for the correct CA permissions so that the controller could not make requests to subscription.rhsm.redhat.com.(AAP-55183)
9.3.9. Event-Driven Ansible
9.3.9.1. Features
- Changes in the deployment and nginx configuration now allow for gunicorn and daphne to bind to :: as well, essentially allowing for seamlessly binding to IPv4 and IPv6 (dual-stack) addresses, while also enabling the operator to run in single-stack IPv6 or IPv4 scenarios.(AAP-56192)
9.3.10. Receptor
9.3.10.1. Bug Fixes
Fixed an issue where there was stability issue on long-running jobs, clusters under heavy load, and network flakiness.(AAP-53742)
9.4. Ansible Automation Platform patch release October 16, 2025
This release includes the following components and versions:
| Release Date | Component versions |
|---|---|
| October 16, 2025 |
|
CSV Versions in this release:
- Namespace-scoped Bundle: aap-operator.v2.6.0-0.1760139263
- Cluster-scoped Bundle: aap-operator.v2.6.0-0.1760139657
9.4.1. Ansible Automation Platform
9.4.1.1. Bug Fixes
- Fixed an issue where the claims processing failed to migrate services during the post-migrate upgrade process.(AAP-55631)
9.4.2. Automation controller
9.4.2.1. Bug Fixes
- Fixed an issue where the Ansible Automation Platform upgrade would be marked as failed if a single authenticator failed to migrate.(AAP-55629)
9.4.3. Automation hub
9.4.3.1. Bug Fixes
- Fixed a global galaxy team role migration issue that could occur during the post-migrate upgrade process.(AAP-55304)
- Fixed an issue caused by a constraint violation during migrations.(AAP-55309)
-
Fixed an issue from
aap-gateway-manage,migrate_service_data, that states Role definition content type must be null to assign globally, which was due to permissions in hub that failed validation.(AAP-55639)
9.5. Ansible Automation Platform patch release October 6, 2025
This release includes the following components and versions:
| Release Date | Component versions |
|---|---|
| October 6, 2025 |
|
CSV Versions in this release:
- Namespace-scoped Bundle: aap-operator.v2.6.0-0.1759764484
- Cluster-scoped Bundle: aap-operator.v2.6.0-0.1759764962
9.5.1. Automation hub
- Fixed an issue where the automation hub collections in 2.6 could not be pulled with Ansible Galaxy due to incorrect dynamic http logic. This issue only affects the Red Hat Ansible Automation Platform Operator installation.(AAP-55099)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}