cbcvebase.
CVE-2026-11807
published 2026-06-23

CVE-2026-11807: A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user…

PriorityP262critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.37%
28.8th percentile
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Affected

2 ranges
VendorProductVersion rangeFixed in
ansible-automation-platform-25eda-controller-rhel8_1781741251
ansible-automation-platform-26eda-controller-rhel9_1781732675

Detection & IOCsextracted from sources · hover to see the quote

pathconsumers.py
processhandle_workers()
  • Monitor WebSocket connections to /api/eda/ws/ansible-rulebook for Worker-type messages originating from non-worker/low-privilege authenticated user accounts, especially those containing an activation_id field that does not correspond to activations owned by that user.
  • Alert on any authenticated user account receiving plaintext credential material (OAuth tokens, vault passwords, SSH private keys, TLS certificates) via the EDA websocket endpoint, particularly where the user has no EDA permissions assigned.
  • Look for activation_id values in WebSocket Worker messages that do not match activations associated with the authenticated session's user — this is the core spoofing primitive for this CVE.
  • ·The vulnerable endpoint requires the attacker to be authenticated to the Ansible Automation Platform; unauthenticated access is not sufficient. Restricting which accounts can authenticate to AAP reduces exposure.
  • ·Network-level restriction of the EDA WebSocket endpoint is recommended as a compensating control until the patch (RHSA-2026:28377 / RHSA-2026:28376) is applied.
  • ·The automation-eda-controller package on Red Hat Ansible Automation Platform 2 was listed as 'Under investigation' at time of advisory; confirm patch status via RHSA-2026:28377 (AAP 2.6/RHEL 9) and RHSA-2026:28376 (AAP 2.5/RHEL 8 & 9).

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.