Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

AI Analysis

Missing authorization in EDA websocket API allows credential theft

Basic Information

ID CVE-2026-11807

Source redhat

Published Jun 23, 2026 at 19:40

Modified Jun 23, 2026 at 19:43

Affected Product

Vendor Red Hat

Product Red Hat Ansible Automation Platform 2.5

Version 2.5

CWE Classification

CWE-862

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor Red Hat

Product Ansible Automation Platform

Version 2.5

References

{
    "lastseen": "",
    "description": "A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.",
    "published": "2026-06-23T19:40:33.182Z",
    "modified": "2026-06-23T19:43:41.757Z",
    "type": "cve",
    "title": "Eda-server: websocket missing authorization allows credential theft via activation_id spoofing",
    "source": "redhat",
    "references": "https://access.redhat.com/errata/RHSA-2026:28492\nhttps://access.redhat.com/errata/RHSA-2026:28497\nhttps://access.redhat.com/security/cve/CVE-2026-11807\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2487036",
    "id": "CVE-2026-11807",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Red Hat Ansible Automation Platform 2.5",
    "version": "2.5",
    "vendor": "Red Hat",
    "ai_description": "Missing authorization in EDA websocket API allows credential theft",
    "ai_severity": "Critical",
    "ai_vendor": "Red Hat",
    "ai_product": "Ansible Automation Platform",
    "ai_version": "2.5",
    "ai_score": 9.6
}

Eda-server: websocket missing authorization allows credential theft via activation_id spoofing_CVE-2026-11807