Skip to main content

Ansible AWX CVE-2026-12726

| EUVDEUVD-2026-38065 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-19 redhat GHSA-w8qh-qh69-53cx
6.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.3 MEDIUM

Attacker must hold the webhook_key (PR:L), target must have PAT-based credentials configured (AC:H), and stolen PAT impacts GitHub outside AWX (S:C/C:H).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Red Hat
6.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 19, 2026 - 19:31 vuln.today

DescriptionCVE.org

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.

AnalysisAI

Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain job template webhook_key
Delivery
Craft pull_request webhook with malicious statuses_url
Exploit
Sign and submit forged webhook to AWX receiver
Execution
AWX stores attacker-controlled callback URL
Persist
Job execution triggers status POST bearing GitHub PAT
Impact
Receive and exfiltrate GitHub PAT at attacker endpoint

Vulnerability AssessmentAI

Exploitation Three specific conditions must be satisfied simultaneously: (1) The targeted job template must be configured with GitHub pull_request webhook integration AND have a GitHub Personal Access Token set as the webhook credential - templates using other credential types or no PAT are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) classifies this as Medium severity, but the real-world risk is meaningfully higher for organizations relying on broad-scoped GitHub PATs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained the webhook_key for a targeted AWX job template - through credential disclosure, insider access, or prior system compromise - crafts a GitHub pull_request webhook JSON payload with the statuses_url field set to an attacker-controlled HTTPS listener. The payload is HMAC-signed using the webhook_key and submitted to the AWX webhook receiver endpoint. …
Remediation Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-12726 and the tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2490796 for the latest patch availability, as no specific fix version is confirmed in the available data; check for an updated RAAP 2 package release from Red Hat. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12726 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy