CVE-2026-11807 PUBLISHED

Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

Assigner: redhat
Reserved: 09.06.2026 Published: 23.06.2026 Updated: 24.06.2026

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 9.6

Product Status

Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 8
Versions Default: affected
  • unaffected from 0:1.1.19-1.el8ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5 for RHEL 9
Versions Default: affected
  • unaffected from 0:1.1.19-1.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6 for RHEL 9
Versions Default: affected
  • unaffected from 0:1.2.9-2.el9ap to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.5
Versions Default: affected
  • unaffected from 1781741251 to * (excl.)
Vendor Red Hat
Product Red Hat Ansible Automation Platform 2.6
Versions Default: affected
  • unaffected from 1781732675 to * (excl.)

Workarounds

The following practices would help for reducing or avoiding the exposure to this flaw:

1) Restrict network access to the EDA websocket endpoint. 2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied.

Credits

  • This issue was discovered by Chris Meyers (Red Hat, Inc.).

References

Problem Types

  • Missing Authorization CWE