Red Hat SummitCVE - Bug Fixes
The following release notes detail the CVEs and Bug fixes for the Ansible Automation Platform patch released on June 3, 2026
This release of Ansible Automation Platform delivers critical security patches addressing multiple CVEs across Automation Controller, Automation Hub, and Ansible Lightspeed, including fixes for a cryptography buffer overflow and a Dynaconf template injection vulnerability. It also includes bug fixes spanning authentication mapping, workload identity, schedule parsing, and Hub memory stability, alongside enhancements to proxy configuration support and MCP telemetry, and a new default-enabled metrics service for OpenShift deployments.
- namespace: aap-operator.v2.7.0-0.1779173639
- cluster: aap-operator.v2.7.0-0.1779173658
CVE
Copy linkLink copied!
- Automation controller
- CVE-2026-39892:
Cryptography— buffer overflow via non-contiguous buffer in API. (AAP-75138) - CVE-2026-39892: Updated cryptography package to address version affected by known vulnerability. (AAP-72126)
- CVE-2026-39892:
- Automation hub
- CVE-2026-39892:
Cryptography— buffer overflow via non-contiguous buffer in API. (AAP-75149) - CVE-2026-33154:
Dynaconf— arbitrary code execution via server-side template injection; dependency updated to 3.2.13. (AAP-69471)
- CVE-2026-39892:
- Ansible Lightspeed
- CVE-2026-39892: aap-rag-content — cryptography buffer overflow via non-contiguous buffer in API. (AAP-75144)
- CVE-2026-39892:
aap-inventory-mcp-server— cryptography buffer overflow via non-contiguous buffer in API. (AAP-75142)
- Execution environments
- CVE-2026-39892: Updated cryptography package to address version affected by known vulnerability. (AAP-75235)
Bug fixes
Copy linkLink copied!
- Ansible automation portal
- Survey and form rendering improvements: Nested survey parameters, conditional form schemas, and password fields now render correctly. Survey passwords are written as secrets.
- Controller
- Fixed an issue where OIDC workload identity tokens were not applied to cloud credentials during inventory sync, because
populate_workload_identity_tokens()did not include the cloud credential when called fromRunInventoryUpdate. (AAP-75205) - Fixed an issue where workflow node updates failed when the Job Template had labels without "Prompt on Launch" enabled, causing API or UI updates to prompt fields to return "Field is not configured to prompt on launch." The serializer now validates only the prompt fields included in the request rather than re-validating all persisted prompt state. (AAP-75202)
- Fixed an issue where
awxkit as_user()failed to switch the authenticated user when requests were routed through the AAP gateway, because the gateway usesgateway_sessionidinstead ofsessionid. A fallback now checksgateway_sessionidwhen no cookie matchessession_cookie_name. (AAP-75199) - Fixed an issue where the Thycotic Secret Server (Delinea) credential plugin failed with an HTTP 500 error when resolving credentials from Delinea Platform URLs due to an older version of
python-tss-sdk. (AAP-75198) - Fixed an issue where at CLI failed on clean install with ModuleNotFoundError: No module named 'packaging' because setup.py listed setuptools instead of packaging as a runtime dependency after the Python 3.12 upgrade. (AAP-74277)
- Fixed an issue where schedules could not parse a valid RRULE with certain BYHOUR constraints. (AAP-72482)
- Fixed an issue where OIDC workload identity tokens were not applied to cloud credentials during inventory sync, because
- Django-ansible-base
- Fixed an issue where an authenticator map of type "allow" could not recover access once it had been set to false by an earlier deny-all rule. (AAP-75209)
- Fixed an issue where an authenticator map of type "allow" could not recover access once it had been set to false by an earlier deny-all rule. (AAP-75207)
- Hub
- Fixed an issue where Automation Hub pods experienced sustained high memory usage under idle conditions because health probes caused progressive memory growth in pulpcore worker processes, approaching configured memory limits and triggering unnecessary HPA scaling events. (AAP-68883)
- Lightspeed
- Fixed an issue where the containerized installer did not show the image used for Ansible Lightspeed chatbot BYOK configuration. (AAP-73534)
- Fixed an issue where the containerized installer did not show the image used for Ansible Lightspeed chatbot BYOK configuration. (AAP-72986)
- Platform operator
- Fixed an issue where a cluster-scoped operator could not resolve PostgreSQL database connections when components were installed in other namespaces. (AAP-75065)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}