Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attacker must hold the webhook_key (PR:L), target must have PAT-based credentials configured (AC:H), and stolen PAT impacts GitHub outside AWX (S:C/C:H).
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.
AnalysisAI
Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three specific conditions must be satisfied simultaneously: (1) The targeted job template must be configured with GitHub pull_request webhook integration AND have a GitHub Personal Access Token set as the webhook credential - templates using other credential types or no PAT are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) classifies this as Medium severity, but the real-world risk is meaningfully higher for organizations relying on broad-scoped GitHub PATs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained the webhook_key for a targeted AWX job template - through credential disclosure, insider access, or prior system compromise - crafts a GitHub pull_request webhook JSON payload with the statuses_url field set to an attacker-controlled HTTPS listener. The payload is HMAC-signed using the webhook_key and submitted to the AWX webhook receiver endpoint. … |
| Remediation | Consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-12726 and the tracking bug at https://bugzilla.redhat.com/show_bug.cgi?id=2490796 for the latest patch availability, as no specific fix version is confirmed in the available data; check for an updated RAAP 2 package release from Red Hat. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plain
mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated r
Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git reposito
Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container
Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a r
Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38065
GHSA-w8qh-qh69-53cx