Description
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.
Published: 2026-06-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the AWX GitHub webhook integration lets an attacker who signs a forged pull_request webhook emulate a legitimate callback. The controller stores the pull_request.statuses_url from the payload without validating it points to a trusted GitHub API and later POSTs the job template’s Personal Access Token to that URL when reporting job status updates. This allows the attacker to redirect the callback to an arbitrary URL and exfiltrate the PAT, giving access to the attacker’s GitHub repository and any actions the token permits. The weakness is characterized as an unsafe input leading to an SSRF and credential leakage (CWE‑918).

Affected Systems

The vulnerability impacts Red Hat Ansible Automation Platform 2. All installations using the GitHub webhook integration are exposed when a job template is configured with a GitHub Personal Access Token as its webhook credential.

Risk and Exploitability

With a CVSS score of 6.3 the flaw is of moderate severity. Exploitation requires access to a valid job template webhook key and the ability to supply a signed GitHub pull_request webhook with a malicious callback URL. The EPSS score is not available, but the risk is realistic if webhook keys are exposed or stolen. The vulnerability is not listed in CISA KEV and no public patch is documented, so the risk remains until a vendor fix is released.

Generated by OpenCVE AI on June 19, 2026 at 20:45 UTC.

Remediation

Vendor Workaround

The following practices may reduce exposure to this flaw until a fix is available: 1. Restrict network access to controller webhook endpoints so only trusted GitHub egress IPs or an approved reverse proxy can reach them. 2. Protect job template webhook keys as secrets; restrict Job Template admin access; rotate webhook keys if compromise is suspected. 3. If commit status callback to GitHub is not required, configure GitHub webhooks without a webhook_credential on the job template (this disables PAT transmission on job completion). 4. Monitor controller logs and outbound connections for unexpected callback destinations following webhook-triggered jobs.


OpenCVE Recommended Actions

  • Restrict network access to the controller webhook endpoints so that only trusted GitHub egress IPs or an approved reverse proxy can reach them.
  • Secure the job template webhook key by limiting administrative access and rotating the key if a compromise is suspected.
  • Remove the webhook credential from job templates that do not require commit status callbacks, which disables PAT transmission on job completion.

Generated by OpenCVE AI on June 19, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat awx
Vendors & Products Redhat awx

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.
Title Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-918
CPEs cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Redhat Ansible Automation Platform Awx
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-22T17:08:43.067Z

Reserved: 2026-06-19T15:05:52.078Z

Link: CVE-2026-12726

cve-icon Vulnrichment

Updated: 2026-06-22T17:08:39.586Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-19T14:40:00Z

Links: CVE-2026-12726 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:38Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)