PT-2026-51585 · Red Hat · Red Hat Ansible Automation Platform 2+2
Chris Meyers
·
Publicado
2026-06-23
·
Atualizado
2026-06-23
·
CVE-2026-11807
CVSS v3.1
9.6
Crítica
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Red Hat Ansible Automation Platform 2
Red Hat Ansible Automation Platform 2.5
Red Hat Ansible Automation Platform 2.6