9.6
CVE-2026-11807
- EPSS 0.37%
- Veröffentlicht 23.06.2026 19:40:33
- Zuletzt bearbeitet 27.06.2026 05:16:41
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Eda-server: websocket missing authorization allows credential theft via activation_id spoofing
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2.5 for RHEL 8
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2.5 for RHEL 9
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2.6 for RHEL 9
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2.5
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2.6
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.37% | 0.289 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 9.6 | 3.1 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 9.6 | 3.1 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://access.redhat.com/errata/RHSA-2026:28492
https://access.redhat.com/errata/RHSA-2026:28497
https://access.redhat.com/security/cve/CVE-2026-11807
https://bugzilla.redhat.com/show_bug.cgi?id=2487036
https://access.redhat.com/errata/RHSA-2026:28376
https://access.redhat.com/errata/RHSA-2026:28377
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11807.json