Unrated

Missing Authorization in Event-Driven Ansible EDA Websocket API

IdentifiersCVE-2026-11807CWE-862

CVE-2026-11807 is a critical missing authorization flaw in Red Hat Ansible Automation Platform's Event-Driven Ansible (EDA) websocket API. The vulnerable endpoint, /api/eda/ws/ansible-rulebook, does not verify user permissions when processing Worker messages. Because authorization is not enforced on requests referencing activation data, any authenticated user can forge a Worker message containing an arbitrary activation_id and cause the service to return plaintext credentials associated with that activation. Exposed secrets may include OAuth tokens, vault passwords, and SSH keys. The issue is remotely exploitable and stems from improper access control on a sensitive websocket message-handling path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker with low privileges to retrieve plaintext credentials belonging to other activations. This can directly compromise confidentiality by exposing OAuth tokens, vault passwords, and SSH keys, and can also enable follow-on unauthorized access to external systems, automation assets, and connected services. Because the disclosed credentials may be used to alter automation behavior, access protected infrastructure, or impersonate trusted components, the vulnerability can also have downstream integrity and availability consequences.

Mitigation

If you can’t patch tonight, do this now.

If an official fix cannot be applied immediately, restrict access to the EDA websocket API to only trusted users and administrative roles, minimize the number of accounts with EDA access, and monitor for anomalous requests involving unexpected activation_id values. Rotate any potentially exposed OAuth tokens, vault passwords, and SSH keys. Where possible, segment or disable access to the affected websocket functionality until authorization checks are in place.

Remediation

Patch, then assume compromise.

Implement and enforce authorization checks on the /api/eda/ws/ansible-rulebook websocket endpoint before processing Worker messages. The server should validate that the authenticated user is permitted to access the specific activation_id referenced in the message and should deny requests for unauthorized activations. Review all websocket message handlers that expose sensitive activation data to ensure access control is consistently applied. Apply the vendor-provided fix or updated Red Hat Ansible Automation Platform release that corrects the missing authorization condition.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Red HatEvent-Driven Ansibleapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Jun 23, 2026

CVE-2026-11807 - Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A critical missing authorization vulnerability in the Event-Driven Ansible (EDA) websocket API that allows an authenticated user to spoof activation_id values and obtain plaintext credentials, including OAuth tokens, vault passwords, and SSH keys.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-11807

NVD

nvd.nist.gov/vuln/detail/CVE-2026-11807

MITRE CWE · CWE-862

cwe.mitre.org