HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11807Published Modified CNA redhat

CVE-2026-11807: Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
1781732675
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A missing authorization vulnerability in Event-Driven Ansible (EDA) allows any authenticated user to steal credentials from other activations via the websocket API. The flaw is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation gives the attacker plaintext OAuth tokens, vault passwords, and SSH keys belonging to other users or automation workflows. A patched-image rebuild is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11807 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Red Hat advisory feed within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images derived from Ansible Automation Platform base layers.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical) and weights it against each environment's compliance policy to determine urgency and routing, directing findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at the fix versions (1781732675 and 1781741251) is available on HarborGuard for any image found running an affected release of Red Hat Ansible Automation Platform 2.x. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable websocket endpoint is exposed over the network, so the attacker must be able to reach the EDA server's API from a network-adjacent or internet-routable position.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker only needs valid credentials to authenticate to the platform before sending a forged Worker message.

  • Victim interactionNot required

    The attacker interacts directly with the websocket API; no action is required from any other user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

  • Attacker reads plaintext OAuth tokens associated with arbitrary automation activations, enabling impersonation of those integrations against external services.
  • Attacker retrieves vault passwords in cleartext, unlocking encrypted secrets stored across any Ansible vault tied to an affected activation.
  • Attacker obtains SSH private keys from other users' activations, gaining direct shell access to any host those keys authorize.
  • The confidentiality and integrity of all managed infrastructure is at risk, because the stolen credentials can be used to modify automation workflows or access downstream systems.

How HarborGuard Handles This

Available on HarborGuard: images derived from Red Hat Ansible Automation Platform 2.x are matched against CVE-2026-11807 at ingest time, with results visible immediately in the vulnerability dashboard. Where compliance policy permits, a rebuilt image pinned to the patched fix versions is available for deployment. For customers who opt into auto-remediation, the full flow (rebuild, regression run, and a pull request opened against affected workloads) is available; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is deployed, compensating controls worth considering include restricting access to the /api/eda/ws/ansible-rulebook endpoint via network policy to only known worker IP ranges, applying egress filtering on the EDA server to limit blast radius from any stolen credentials, and auditing recent websocket connections for unexpected activation_id queries. HarborGuard re-checks the advisory on every ingest cycle and will surface any additional fix versions as Red Hat publishes updates to the affected platform streams.

See how HarborGuard automates this

Fix available

17817326751781741251
Affected packages
  • Red Hat / Red Hat Ansible Automation Platform 2.5
    Fixed in 1781741251
  • Red Hat / Red Hat Ansible Automation Platform 2.6
    Fixed in 1781732675
  • Red Hat / Red Hat Ansible Automation Platform 2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References