Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Network-reachable websocket exploitable by any authenticated user (PR:L), no UI; leaks secrets that unlock other systems (S:C, C:H, I:H), no availability impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Articles & Coverage 1
AnalysisAI
Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated user account on the Red Hat Ansible Automation Platform EDA controller (CVSS PR:L) with network reachability to the /api/eda/ws/ansible-rulebook websocket endpoint; no admin role, no user interaction, and no non-default configuration is required, because the endpoint is part of the standard EDA deployment in AAP 2, 2.5, and 2.6. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N is consistent with the description: a low-privileged authenticated user, over the network, with no user interaction, can extract high-value secrets belonging to other tenants - the scope change (S:C) reflects that credentials cross the EDA authorization boundary into systems those credentials unlock (Git, cloud, SSH targets). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains or is granted a low-privilege user account on the AAP/EDA controller (insider, contractor, or a previously phished account). They open a websocket to /api/eda/ws/ansible-rulebook, enumerate or guess activation_id values belonging to higher-privileged automations, and send forged Worker messages, receiving plaintext OAuth tokens, vault passwords, and SSH keys back from the controller - which they then use to pivot directly into the cloud accounts, Git repositories, and Linux fleets that EDA automates. |
| Remediation | Apply the Red Hat patches available per vendor advisory by installing the updated EDA controller packages shipped in RHSA-2026:28492 (https://access.redhat.com/errata/RHSA-2026:28492) and RHSA-2026:28497 (https://access.redhat.com/errata/RHSA-2026:28497) for Ansible Automation Platform 2.5 and 2.6; exact fix versions should be taken from those errata. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Ansible Automation Platform 2.5 and 2.6 deployments; restrict network access to /api/eda/ws/ansible-rulebook endpoint via firewall rules; review audit logs for suspicious Worker message activity and credential access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38598
GHSA-3w6r-r33r-cfg6