Ansible Automation Platform patch release February 25, 2026

Components and versions

Copy link

This release includes the following components and versions:

CSV Versions in this release:

• Namespace-scoped Bundle: ap-operator.v2.6.0-0.1772585537
• Cluster-scoped Bundle: aap-operator.v2.6.0-0.1772583722

CVE

• CVE-2026-24486 ansible-automation-platform-26/lightspeed-chatbot-rhel9: Python-Multipart has Arbitrary File Write via Non-Default Configuration.(AAP-64188)
• CVE-2026-24486 ansible-automation-platform-26/mcp-tools-rhel9: Python-Multipart has Arbitrary File Write via Non-Default Configuration.(AAP-64186)
• </li> <li><xref href="https://access.redhat.com/security/cve/cve-2025-13465" format="html" scope="external">CVE-2025-13465</xref> <codeph>automation-platform-ui</codeph>: prototype pollution in <codeph>_.unset</codeph> and <codeph>_.omit</codeph> functions.(AAP-64106)</li>
• CVE-2025-13465ansible-automation-platform-26/lightspeed-rhel9: prototype pollution in_.unset and _.omit functions.(AAP-64104)
• CVE-2025-13465ansible-automation-platform-26/gateway-rhel9: prototype pollution in _.unset and _.omit functions.(AAP-64103)
• CVE-2026-24049automation-controller: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking.(AAP-63877)
• CVE-2026-24049ansible-automation-platform-26/de-supported-rhel9: wheel Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking.(AAP-63861)
• CVE-2026-24049ansible-automation-platform-26/de-minimal-rhel9: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking.(AAP-63860)
• CVE-2025-59057automation-platform-ui React Router has XSS Vulnerability.(AAP-62544)
• CVE-2025-59057 <codeph>ansible-automation-platform-26/gateway-rhel9: React Router has XSS Vulnerability.(AAP-62543)
• CVE-2026-21884 automation-platform-ui: React Router SSR XSS in ScrollRestoration.(AAP-62542)
• CVE-2026-21884ansible-automation-platform-26/gateway-rhel9: React Router SSR XSS in ScrollRestoration.(AAP-62541)
• CVE-2026-22029automation-platform-ui: React Router vulnerable to XSS via Open Redirects.(AAP-62524)
• CVE-2026-22029ansible-automation-platform-26/gateway-rhel9: React Router vulnerable to XSS via Open Redirects.(AAP-62523)
• CVE-2026-21441ansible-automation-platform-26/hub-web-rhel9: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API).(AAP-62449)
• CVE-2026-21441ansible-automation-platform-26/hub-rhel9: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API).(AAP-62448)
• CVE-2025-69223<codeph>python3.11-aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb.(AAP-62286)
• CVE-2025-66471ansible-automation-platform-26/hub-web-rhel9: urllib3Streaming API improperly handles highly compressed data.(AAP-62081)
• CVE-2025-66471ansible-automation-platform-26/hub-rhel9-operator: urllib3 Streaming API improperly handles highly compressed data.(AAP-62080)
• CVE-2025-66471ansible-automation-platform-26/hub-rhel9:urllib3 Streaming API improperly handles highly compressed data.(AAP-62079)
• CVE-2025-69223 ansible-automation-platform-26/hub-rhel9: AIOHTTP's HTTP Parserauto_decompress feature is vulnerable to zip bomb.(AAP-61920)
• CVE-2025-69223ansible-automation-platform-26/ee-supported-rhel9: AIOHTTP's HTTP Parserauto_decompress feature is vulnerable to zip bomb.(AAP-61919)
• CVE-2025-69223ansible-automation-platform-26/ee-minimal-rhel9: AIOHTTP's HTTP Parserauto_decompress feature is vulnerable to zip bomb.(AAP-61918)
• CVE-2025-53643ansible-automation-platform-26/ee-supported-rhel9: AIOHTTP HTTP Request/Response Smuggling.(AAP-54841)
• CVE-2026-23490automation-controller: pyasn1 has a DoS vulnerability in decoder.(AAP-63123)
• CVE-2025-61140ansible-automation-platform-26/lightspeed-rhel9: jsonpath: Prototype Pollution vulnerability in the value function.(AAP-64332)
• CVE-2026-0994python3.11-protobuf: Denial of Service in Python Protobuf.(AAP-64072)

Ansible Automation Platform

Bug Fixes

• Fixed an issue where there was double logging in Gateway/DAB. Fixed unit tests.(AAP-65216)
• Fixed an issue where an organization administrator could not delegate permissions to objects within their organization.(AAP-65081)
• If the Project&#8217;s source control branch is overridden by a Template or template Schedule, it is now displayed on the schedule detail and schedule edit form review step.(AAP-60920)
• Fixed an issue preventing reordering more than 50 authentication mappings.(AAP-59119)
• Restored a bug fix so that the feature flags table is created/updated as expected even on partial migrations.(AAP-65815)

Ansible Automation Platform Operator

Enhancements

• Increased envoy request timeout from 1 second to 5 seconds.(AAP-64420)

Bug Fixes

• Fixed an issue with Automation Hub file data not restored in the correct directory. (AAP-65961)
• Fixed an issue where custom PostgreSQL settings could not be applied to the AAP Operator. Added command configuration to PostgreSQL statefulset configuration when postgres_extra_args is defined.(AAP-65487)
• Fixed an issue where there was a missing resource_requirement in the nginx container configured in the EDA event stream deployment.(AAP-64007)
• Fixed an issue where Kubernetes Secret values were being printed in operator logs.(AAP-62943)
• Fixed an issue with an extra_settings to allow customizing the LOGGING level for the Gateway Operator (AAP-62938)

Automation controller

Enhancements

• Fixed the job list endpoint to no longer load the job artifacts, resulting in better performance.(AAP-63489)
• Upgraded to Django 5.2.(AAP-59873)

Bug Fixes

• Fixed missing RoleUserAssignment openapi schema component.(AAP-60826)
• Fixed an issue where the AWX CLI failed to authenticate to AAP 2.5 using username/password. This resolves the Valid credentials were not provided errors when connecting to Gateway environments.(AAP-46830)

Automation hub

Features

• Added a static OpenAPI spec to galaxy that focuses the potential endpoints users can call.(AAP-66415)
• Improved documentation for Automation Hub OpenAPI specifications.(AAP-66410)

Enhancements

• Added concise descriptions to API Endpoints for AAP MCP server.(AAP-66412)

Container-based Ansible Automation Platform

Enhancements

• Increased envoy request timeout from 1 second to 5 seconds.(AAP-64323)
• Added a retry mechanism when trying to get the Automation Controller status (AAP-64291)
• Increased envoy request timeout from 1 second to 5 seconds.(AAP-64008)
• Fixed a compatibility issue when jinja2 native is enabled on ansible-core.(AAP-62878) URL anchors in the inventory samples reflect official documentation.(AAP-55780)

Bug Fixes

• Restored a bug fix so that the feature flags table is created/updated as expected even on partial migrations.(AAP-65815)
• Fixed automation gateway preflight check which doesn't require ansible_host to be defined anymore.(AAP-65370)
• Fixed an issue where the installer did not make use of ansible_user_dir for receptor.(AAP-64452)
• Fixed an issue where disabling TLS on envoy no longer causes a controller connection error when running Merge organization task.(AAP-62904)
• Fixed an issue where the TLS verification when pushing container images to the Automation Hub registry and TLS was enabled.(AAP-62864)

RPM-based Ansible Automation Platform

Enhancements

• Increased envoy request timeout from 1 second to 5 seconds.(AAP-64008)

Event-Driven Ansible

Enhancements

• The content of the de-minimal and de-supported images of the decision environment changes. There are new names for existing plugins, and the old names are still available albeit deprecated. In most of the cases only a change of the used event source or event filter is needed.(AAP-48005)
• For example:

----
- name: Production ruleset
  sources:
    - ansible.eda.pg_listener:
        postgres_params:
          host: postgresql_hostname
          port: postgresql_port
          dbname: postgresql_database
        channels:
          - my_events
          - my_alerts
[...]
----

* The event source name will need to be changed as follows:

----
- name: Production ruleset
  sources:
    - eda.builtin.pg_listener:
        postgres_params:
          host: postgresql_hostname
          port: postgresql_port
          dbname: postgresql_database
        channels:
          - my_events
          - my_alerts
[...]
----

Bug Fixes

• Fixed an issue where the activation worker failed to reconnect to redis after disconnection.Override RQ's default heartbeat to call register_birth, allowing worker re-registration in case of worker disconnects from Redis, and also eliminating ghost workers. Upgraded rq version to 2.6.1.(AAP-56872)

Execution Environments

Copy link

Enchancements

• ee-minimal and ee-supported have been updated to use Python 3.12. The version number has been updated to 2.0.0.(AAP-56549)

Red Hat Ansible Lightspeed

Enhancements

• Upgrade to Python 3.12.(AAP-61048)

Bug Fixes

• Fixed an issue where Lightspeed timed out connecting to chatbot in Testing CI containerized installer. Added chatbot and mcp tools ports to firewalld.(AAP-65319)
• Fixed an issue where ChatGPT 5.1 produced blank ALIA responses while using a supported model provider. Added custom config variable to be added to the llama-stack agent configuration.(AAP-63538)
• Fixed an issue where navigating away from the chatbot while a request was in progress would interrupt the process, often resulting in errors like duplicated messages. This issue has been resolved this by ensuring that outstanding requests continue processing even when the browser focus changes (AAP-62685)
• ChatGPT 5.1 produces blank ALIA responses, while using a supported model provider.