Missing auth in Red Hat EDA WebSocket API leaks credentials
CVE-2026-11807 Published on June 23, 2026

Eda-server: websocket missing authorization allows credential theft via activation_id spoofing
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-11807 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 14 days later.

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-11807 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-11807

Want to know whenever a new CVE is published for Red Hat Ansible Automation Platform? stack.watch will email you.

Red Hat Ansible Automation Platform
 

Affected Versions

Red Hat Ansible Automation Platform 2.5: Red Hat Ansible Automation Platform 2.6: Red Hat Ansible Automation Platform 2: