PatchSiren cyber security CVE debrief

CVE-2026-11807 Red Hat CVE debrief

CVE-2026-11807 is a critical missing authorization vulnerability in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint fails to verify user permissions when processing Worker messages, allowing any authenticated user to send forged messages with arbitrary activation_id to receive plaintext credentials. These credentials include OAuth tokens, vault passwords, and SSH keys associated with that activation. The vulnerability has a CVSS score of 9.6 and is considered CRITICAL. The CVE was published on 2026-06-23T21:16:54.350Z and last modified on 2026-06-27T05:16:41.450Z.

Vendor: Red Hat
Product: Red Hat Ansible Automation Platform 2.5 for RHEL 8
CVSS: CRITICAL 9.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-23
Original CVE updated: 2026-06-27
Advisory published: 2026-06-23
Advisory updated: 2026-06-27

Who should care

Organizations using Event-Driven Ansible (EDA) should prioritize patching this vulnerability. Any authenticated user can exploit this flaw to gain unauthorized access to sensitive credentials, potentially leading to further system compromise. The vulnerability's critical severity and potential for significant impact make it essential for EDA users to address immediately.

Technical summary

The Event-Driven Ansible (EDA) websocket API has a missing authorization vulnerability at the /api/eda/ws/ansible-rulebook endpoint. This endpoint does not properly verify user permissions when processing Worker messages. Consequently, any authenticated user can send a forged message with an arbitrary activation_id. This action allows the user to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys. The vulnerability is rated with a CVSS score of 9.6, indicating critical severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, highlighting the vulnerability's high impact on confidentiality and integrity.

Defensive priority

This vulnerability requires immediate attention due to its critical severity and potential for significant impact. Organizations using Event-Driven Ansible (EDA) should prioritize patching to prevent unauthorized access to sensitive credentials.

Recommended defensive actions

Apply patches or updates provided by the vendor to address the missing authorization vulnerability.
Implement additional monitoring to detect and respond to potential exploitation attempts.
Review and update authentication and authorization configurations for the EDA websocket API.
Consider implementing compensating controls, such as limiting access to sensitive credentials.
Conduct a thorough inventory check to identify and patch all affected systems.

Evidence notes

The CVE-2026-11807 record was obtained from the official CVE database and the National Vulnerability Database (NVD). The vulnerability is associated with multiple references from Red Hat, including errata and bugzilla entries. While the vendor name is listed as 'Unknown Vendor,' evidence suggests a strong connection to Red Hat, given the presence of Red Hat references and errata.

Official resources

CVE-2026-11807 CVE record
CVE.org
CVE-2026-11807 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c

This article is AI-assisted and based on the supplied source corpus.