CVE-2026-11807

CRITICAL 9.6

Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

CVSS Score

9.6

EPSS Score

0.0%

EPSS Percentile

0th

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

CWE	CWE-862
Vendor	red hat
Product	red hat ansible automation platform 2.5
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for red hat red hat ansible automation platform 2.5

Be the first to know when new critical vulnerabilities affecting red hat red hat ansible automation platform 2.5 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Red Hat / Red Hat Ansible Automation Platform 2.5

All versions affected

Red Hat / Red Hat Ansible Automation Platform 2.6

All versions affected

Red Hat / Red Hat Ansible Automation Platform 2

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2026:28492 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:28497 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-11807 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2487036

Credits

This issue was discovered by Chris Meyers (Red Hat, Inc.).