Ansible Lightspeed API Broken Object Level Authorization Vulnerability Allowing Cross-User Conversation Context Injection

A broken object level authorization vulnerability has been identified in the Ansible Lightspeed API conversation endpoints, specifically within the AI chat interaction APIs. This vulnerability arises because the APIs fail to properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an authenticated attacker with valid credentials could access or manipulate conversations owned by other users. This flaw exposes sensitive conversation data and enables unauthorized changes to AI-generated outputs. The vulnerability affects all versions of Ansible Lightspeed API on Linux.

Impact

Exploitation of this vulnerability allows authenticated users to access and modify AI chat conversations belonging to other users, leading to unauthorized disclosure of sensitive information and manipulation of AI-generated content, such as Ansible playbooks.

Reproduction

To reproduce this vulnerability, an authenticated user must obtain a valid conversation identifier that does not belong to them. This can be done by exploiting the lack of ownership validation in the conversation endpoints. Once a valid identifier is acquired, the user can access the conversation history and inject new prompts into the AI session, influencing the generated responses.