CVE-2026-11807 - Vulnerability Details

- Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

Description

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Published: 2026-06-23

Score: 9.6 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Event-Driven Ansible (EDA) websocket API endpoint /api/eda/ws/ansible-rulebook fails to validate user permissions when processing worker messages. This oversight allows any authenticated user to forge a message containing an arbitrary activation_id and obtain plain‑text credentials tied to that activation, such as OAuth tokens, vault passwords, and SSH keys. The flaw is a direct result of missing authorization checks, corresponding to CWE‑862.

Affected Systems

The vulnerability affects Red Hat Ansible Automation Platform releases 2, 2.5, and 2.6 on both EL8 and EL9 platforms. These products host the EDA websocket service and are identified by the corresponding cpe entries for redhat:ansible_automation_platform in the affected versions.

Risk and Exploitability

The CVSS score of 9.6 marks this issue as critical, and the EPSS score is currently unavailable, indicating limited publicly known data on exploitation attempts. It is not listed in the CISA KEV catalog, but the nature of the flaw—unauthorized credential disclosure via a publicly reachable websocket endpoint—implies a high likelihood of remote exploitation by any authenticated without permission checks. An attacker can readily obtain sensitive credentials once authenticated, potentially leading to further lateral movement or system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat

Red Hat Ansible Automation Platform 2.5 for RHEL 8

affected

Version	Status	Constraints
`0:1.1.19-1.el8ap`	unaffected	< *

Red Hat

Red Hat Ansible Automation Platform 2.5 for RHEL 9

affected

Version	Status	Constraints
`0:1.1.19-1.el9ap`	unaffected	< *

Red Hat

Red Hat Ansible Automation Platform 2.6 for RHEL 9

affected

Version	Status	Constraints
`0:1.2.9-2.el9ap`	unaffected	< *

Red Hat

Red Hat Ansible Automation Platform 2.5

affected

Version	Status	Constraints
`1781741251`	unaffected	< *

Red Hat

Red Hat Ansible Automation Platform 2.6

affected

Version	Status	Constraints
`1781732675`	unaffected	< *

No data.

Package	CPE	Advisory	Released Date
Red Hat Ansible Automation Platform 2.5
ansible-automation-platform-25/eda-controller-rhel8:1781741251	cpe:/a:redhat:ansible_automation_platform:2.5::el8	RHSA-2026:28497	2026-06-23T00:00:00Z
Red Hat Ansible Automation Platform 2.6
ansible-automation-platform-26/eda-controller-rhel9:1781732675	cpe:/a:redhat:ansible_automation_platform:2.6::el9	RHSA-2026:28492	2026-06-23T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

The following practices would help for reducing or avoiding the exposure to this flaw: 1) Restrict network access to the EDA websocket endpoint. 2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied.

OpenCVE Recommended Actions

Apply the Red Hat errata RHSA-2026:28492 or RHSA-2026:28497 to patch the websocket authorization flaw.
Restrict network access to the /api/eda/ws/ansible-rulebook endpoint using firewall rules or network segmentation to limit exposure.
Limit or remove privileges of all user accounts that can authenticate to the Ansible Automation Platform until the patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2026:28376
https://access.redhat.com/errata/RHSA-2026:28377
https://access.redhat.com/errata/RHSA-2026:28492
https://access.redhat.com/errata/RHSA-2026:28497
https://access.redhat.com/security/cve/CVE-2026-11807
https://bugzilla.redhat.com/show_bug.cgi?id=2487036
https://nvd.nist.gov/vuln/detail/CVE-2026-11807
https://www.cve.org/CVERecord?id=CVE-2026-11807

History

Wed, 24 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:ansible_automation_platform:2~~	cpe:/a:redhat:ansible_automation_platform:2.5::el9
References		https://access.redhat.com/errata/RHSA-2026:28376 https://access.redhat.com/errata/RHSA-2026:28377

Wed, 24 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11807 https://www.cve.org/CVERecord?id=CVE-2026-11807
Metrics	threat_severity `None`	threat_severity `Critical`

Tue, 23 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Title		Eda-server: websocket missing authorization allows credential theft via activation_id spoofing
First Time appeared		Redhat Redhat ansible Automation Platform
Weaknesses		CWE-862
CPEs		cpe:/a:redhat:ansible_automation_platform:2 cpe:/a:redhat:ansible_automation_platform:2.5::el8 cpe:/a:redhat:ansible_automation_platform:2.6::el9
Vendors & Products		Redhat Redhat ansible Automation Platform
References		https://access.redhat.com/errata/RHSA-2026:28492 https://access.redhat.com/errata/RHSA-2026:28497 https://access.redhat.com/security/cve/CVE-2026-11807 https://bugzilla.redhat.com/show_bug.cgi?id=2487036
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

Redhat Ansible Automation Platform

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-23T19:40:33.182Z

Updated: 2026-06-24T01:39:13.071Z

Reserved: 2026-06-09T15:41:49.114Z

Link: CVE-2026-11807

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Critical

Publid Date: 2026-06-23T14:27:28Z

Links: CVE-2026-11807 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object