CVE-2026-11807

Summary

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 80:1.1.19-1.el8ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 90:1.1.19-1.el9ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.6 for RHEL 90:1.2.9-2.el9ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.51781741251 < *unaffected
Red HatRed Hat Ansible Automation Platform 2.61781732675 < *unaffected

Weaknesses

  • CWE-862: Missing Authorization

Workarounds

The following practices would help for reducing or avoiding the exposure to this flaw:

  1. Restrict network access to the EDA websocket endpoint.
  2. Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

eda-server: websocket missing authorization allows credential theft via activation_id spoofing

Additional References

References