Description
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Published: 2026-06-23
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Event-Driven Ansible (EDA) websocket API endpoint /api/eda/ws/ansible-rulebook fails to validate user permissions when processing worker messages. This oversight allows any authenticated user to forge a message containing an arbitrary activation_id and obtain plain‑text credentials tied to that activation, such as OAuth tokens, vault passwords, and SSH keys. The flaw is a direct result of missing authorization checks, corresponding to CWE‑862.

Affected Systems

The vulnerability affects Red Hat Ansible Automation Platform 2.5 (for RHEL 8 and 9) and 2.6 (for RHEL 9) on both EL8 and EL9 platforms. These products host the EDA websocket service and are identified by the corresponding cpe entries for redhat:ansible_automation_platform in the affected versions.

Risk and Exploitability

The CVSS score of 9.6 marks this issue as critical, and the EPSS score is currently unavailable, indicating limited publicly known data on exploitation attempts. The flaw is not listed in CISA KEV, but the absence of authorization checks on a publicly reachable websocket endpoint implies a high likelihood of remote exploitation. The likely attack vector is remote over the network via the /api/eda/ws/ansible-rulebook endpoint, and based on the description it is inferred that an attacker only needs to authenticate, without elevated privileges, to send forged messages and steal credentials. Once compromised, the attacker could pivot within the system.

Generated by OpenCVE AI on June 24, 2026 at 10:09 UTC.

Remediation

Vendor Workaround

The following practices would help for reducing or avoiding the exposure to this flaw: 1) Restrict network access to the EDA websocket endpoint. 2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied.


OpenCVE Recommended Actions

  • Apply the Red Hat errata RHSA-2026:28492 or RHSA-2026:28497 to patch the websocket authorization flaw.
  • Restrict network access to the /api/eda/ws/ansible-rulebook endpoint using firewall rules or network segmentation to limit exposure.
  • Limit or remove privileges of all user accounts that can authenticate to the Ansible Automation Platform until the patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:ansible_automation_platform:2 cpe:/a:redhat:ansible_automation_platform:2.5::el9
References

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Critical


Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Title Eda-server: websocket missing authorization allows credential theft via activation_id spoofing
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-862
CPEs cpe:/a:redhat:ansible_automation_platform:2
cpe:/a:redhat:ansible_automation_platform:2.5::el8
cpe:/a:redhat:ansible_automation_platform:2.6::el9
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

Redhat Ansible Automation Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-29T12:34:21.949Z

Reserved: 2026-06-09T15:41:49.114Z

Link: CVE-2026-11807

cve-icon Vulnrichment

Updated: 2026-06-29T12:34:21.949Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Critical

Publid Date: 2026-06-23T14:27:28Z

Links: CVE-2026-11807 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses