Skip to main content

Ansible Automation Platform EUVDEUVD-2026-38598

| CVE-2026-11807 CRITICAL
Missing Authorization (CWE-862)
2026-06-23 redhat GHSA-3w6r-r33r-cfg6
9.6
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

Network-reachable websocket exploitable by any authenticated user (PR:L), no UI; leaks secrets that unlock other systems (S:C, C:H, I:H), no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Red Hat
9.6 CRITICAL
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:52 vuln.today

DescriptionCVE.org

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

AnalysisAI

Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plaintext OAuth tokens, vault passwords, and SSH keys by sending forged Worker messages to the Event-Driven Ansible websocket endpoint. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions on activation_id values, enabling lateral credential theft across tenants. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv EDA account
Delivery
Connect to ansible-rulebook websocket
Exploit
Enumerate activation_id values
Execution
Send forged Worker message
Persist
Receive plaintext credentials
Impact
Pivot to managed systems

Vulnerability AssessmentAI

Exploitation Requires an authenticated user account on the Red Hat Ansible Automation Platform EDA controller (CVSS PR:L) with network reachability to the /api/eda/ws/ansible-rulebook websocket endpoint; no admin role, no user interaction, and no non-default configuration is required, because the endpoint is part of the standard EDA deployment in AAP 2, 2.5, and 2.6. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N is consistent with the description: a low-privileged authenticated user, over the network, with no user interaction, can extract high-value secrets belonging to other tenants - the scope change (S:C) reflects that credentials cross the EDA authorization boundary into systems those credentials unlock (Git, cloud, SSH targets). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or is granted a low-privilege user account on the AAP/EDA controller (insider, contractor, or a previously phished account). They open a websocket to /api/eda/ws/ansible-rulebook, enumerate or guess activation_id values belonging to higher-privileged automations, and send forged Worker messages, receiving plaintext OAuth tokens, vault passwords, and SSH keys back from the controller - which they then use to pivot directly into the cloud accounts, Git repositories, and Linux fleets that EDA automates.
Remediation Apply the Red Hat patches available per vendor advisory by installing the updated EDA controller packages shipped in RHSA-2026:28492 (https://access.redhat.com/errata/RHSA-2026:28492) and RHSA-2026:28497 (https://access.redhat.com/errata/RHSA-2026:28497) for Ansible Automation Platform 2.5 and 2.6; exact fix versions should be taken from those errata. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Ansible Automation Platform 2.5 and 2.6 deployments; restrict network access to /api/eda/ws/ansible-rulebook endpoint via firewall rules; review audit logs for suspicious Worker message activity and credential access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-38598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy