Security Flaw in AWX GitHub Webhook Integration Exposes Personal Access Tokens
CVE-2026-12726

6.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Ansible Automation Platform 2
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-12726?

A security flaw exists in the AWX GitHub webhook integration where the system improperly validates the 'statuses_url' retrieved from a GitHub webhook. This vulnerability allows an attacker to forge a valid webhook, redirecting job status updates to a malicious URL. As a result, if a job template is using a GitHub Personal Access Token for webhooks, the token can be sent to the attacker's controlled endpoint, facilitating unauthorized access to the user's GitHub resources. It highlights the critical need for stringent validation of incoming webhook URLs to ensure they align with trusted sources.

References

https://access.redhat.com/security/cve/CVE-2026-12726

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2490796

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

Red Hat would like to thank Martin Brodeur (FluentLogic) for reporting this issue.

CVE-2026-12726 Data

JSON