9.6

CVE-2026-11807

Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.5 for RHEL 8
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.5 for RHEL 9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.6 for RHEL 9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.5
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.6
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.289
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 9.6 3.1 5.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 9.6 3.1 5.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://access.redhat.com/errata/RHSA-2026:28492
https://access.redhat.com/errata/RHSA-2026:28497
https://access.redhat.com/security/cve/CVE-2026-11807
https://bugzilla.redhat.com/show_bug.cgi?id=2487036
https://access.redhat.com/errata/RHSA-2026:28376
https://access.redhat.com/errata/RHSA-2026:28377
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11807.json