CVE-2026-11807
published 2026-06-23CVE-2026-11807: A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user…
PriorityP262critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.37%
28.8th percentile
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | eda-controller-rhel8_1781741251 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9_1781732675 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor WebSocket connections to /api/eda/ws/ansible-rulebook for Worker-type messages originating from non-worker/low-privilege authenticated user accounts, especially those containing an activation_id field that does not correspond to activations owned by that user. ↗
- →Alert on any authenticated user account receiving plaintext credential material (OAuth tokens, vault passwords, SSH private keys, TLS certificates) via the EDA websocket endpoint, particularly where the user has no EDA permissions assigned. ↗
- →Look for activation_id values in WebSocket Worker messages that do not match activations associated with the authenticated session's user — this is the core spoofing primitive for this CVE. ↗
- ·The vulnerable endpoint requires the attacker to be authenticated to the Ansible Automation Platform; unauthenticated access is not sufficient. Restricting which accounts can authenticate to AAP reduces exposure. ↗
- ·Network-level restriction of the EDA WebSocket endpoint is recommended as a compensating control until the patch (RHSA-2026:28377 / RHSA-2026:28376) is applied. ↗
- ·The automation-eda-controller package on Red Hat Ansible Automation Platform 2 was listed as 'Under investigation' at time of advisory; confirm patch status via RHSA-2026:28377 (AAP 2.6/RHEL 9) and RHSA-2026:28376 (AAP 2.5/RHEL 8 & 9). ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Red Hat Ansible Automation Platform 2/2.5/2.6 Forged Message ansible-rulebook authorization (RHSA-2026:28492)
vuldb·2026-06-23·CVSS 9.6
CVE-2026-11807 [CRITICAL] Red Hat Ansible Automation Platform 2/2.5/2.6 Forged Message ansible-rulebook authorization (RHSA-2026:28492)
A vulnerability was found in Red Hat Ansible Automation Platform 2/2.5/2.6 and classified as critical. Affected is an unknown function of the file /api/eda/ws/ansible-rulebook of the component Forged Message Handler. The manipulation results in missing authorization.
This vulnerability is known as CVE-2026-11807. It is possible to launch the attack remotely. No exploit is available.
GHSA
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API.
ghsa_unreviewed·2026-06-23
CVE-2026-11807 [CRITICAL] CWE-862 A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API.
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Red Hat
eda-server: websocket missing authorization allows credential theft via activation_id spoofing
vendor_redhat·2026-06-23·CVSS 9.6
CVE-2026-11807 [CRITICAL] CWE-862 eda-server: websocket missing authorization allows credential theft via activation_id spoofing
eda-server: websocket missing authorization allows credential theft via activation_id spoofing
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Mitigation: The following practices would help for reducing or avoiding the exposure to this flaw:
1) Restrict network access to the EDA websocket endpoint.
2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied.
Package: automati
No detection rules found.
No public exploits indexed.
https://access.redhat.com/errata/RHSA-2026:28376https://access.redhat.com/errata/RHSA-2026:28377https://access.redhat.com/errata/RHSA-2026:28492https://access.redhat.com/errata/RHSA-2026:28497https://access.redhat.com/security/cve/CVE-2026-11807https://bugzilla.redhat.com/show_bug.cgi?id=2487036https://access.redhat.com/errata/RHSA-2026:28376https://access.redhat.com/errata/RHSA-2026:28377https://access.redhat.com/errata/RHSA-2026:28492https://access.redhat.com/errata/RHSA-2026:28497https://access.redhat.com/security/cve/CVE-2026-11807https://bugzilla.redhat.com/show_bug.cgi?id=2487036https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11807.json
2026-06-23
Published