Impact
The Event-Driven Ansible (EDA) websocket API endpoint /api/eda/ws/ansible-rulebook fails to validate user permissions when processing worker messages. This oversight allows any authenticated user to forge a message containing an arbitrary activation_id and obtain plain‑text credentials tied to that activation, such as OAuth tokens, vault passwords, and SSH keys. The flaw is a direct result of missing authorization checks, corresponding to CWE‑862.
Affected Systems
The vulnerability affects Red Hat Ansible Automation Platform 2.5 (for RHEL 8 and 9) and 2.6 (for RHEL 9) on both EL8 and EL9 platforms. These products host the EDA websocket service and are identified by the corresponding cpe entries for redhat:ansible_automation_platform in the affected versions.
Risk and Exploitability
The CVSS score of 9.6 marks this issue as critical, and the EPSS score is currently unavailable, indicating limited publicly known data on exploitation attempts. The flaw is not listed in CISA KEV, but the absence of authorization checks on a publicly reachable websocket endpoint implies a high likelihood of remote exploitation. The likely attack vector is remote over the network via the /api/eda/ws/ansible-rulebook endpoint, and based on the description it is inferred that an attacker only needs to authenticate, without elevated privileges, to send forged messages and steal credentials. Once compromised, the attacker could pivot within the system.
OpenCVE Enrichment