Missing Authorization Vulnerability in Event-Driven Ansible WebSocket API by Red Hat
CVE-2026-11807
9.6CRITICAL
Key Information:
- Vendor
Red Hat
- Status
- Vendor
- CVE Published:
- 23 June 2026
What is CVE-2026-11807?
A vulnerability in the Event-Driven Ansible (EDA) websocket API allows authenticated users to exploit the /api/eda/ws/ansible-rulebook endpoint. This issue occurs due to a lack of user permission verification when processing Worker messages. As a result, an attacker can send forged messages containing arbitrary activation_ids, which may allow the retrieval of sensitive plaintext credentials including OAuth tokens, vault passwords, and SSH keys.
Affected Version(s)
Red Hat Ansible Automation Platform 2.5 1781741251
Red Hat Ansible Automation Platform 2.6 1781732675
References
CVSS V3.1
Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was discovered by Chris Meyers (Red Hat, Inc.).