PT-2026-51585 · Red Hat · Red Hat Ansible Automation Platform 2+2
Chris Meyers
·
Published
2026-06-23
·
Updated
2026-06-23
·
CVE-2026-11807
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Ansible Automation Platform 2
Red Hat Ansible Automation Platform 2.5
Red Hat Ansible Automation Platform 2.6