Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11807

CVE-2026-11807: Event-Driven Ansible Auth Bypass Flaw

CVE-2026-11807 is an authentication bypass vulnerability in Event-Driven Ansible's websocket API that allows authenticated users to access plaintext credentials. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-11807 Overview

CVE-2026-11807 is a missing authorization vulnerability in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint fails to verify user permissions when processing Worker messages. Any authenticated user can forge a Worker message containing an arbitrary activation_id and receive the plaintext credentials bound to that activation. Exposed secrets include OAuth tokens, vault passwords, and SSH keys used by rulebook activations across the EDA controller.

The weakness is classified as [CWE-862] Missing Authorization. Red Hat has published advisories RHSA-2026:28376, RHSA-2026:28377, RHSA-2026:28492, and RHSA-2026:28497 to address impacted EDA components.

Critical Impact

Any authenticated EDA user can exfiltrate OAuth tokens, vault passwords, and SSH keys belonging to other activations, enabling lateral movement across automated infrastructure.

Affected Products

  • Red Hat Ansible Automation Platform Event-Driven Ansible controller (see RHSA-2026:28376)
  • Red Hat Ansible Automation Platform Event-Driven Ansible components (see RHSA-2026:28377 and RHSA-2026:28492)
  • Red Hat Ansible Automation Platform packages addressed in RHSA-2026:28497

Discovery Timeline

  • 2026-06-23 - CVE-2026-11807 published to the National Vulnerability Database
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-11807

Vulnerability Analysis

The Event-Driven Ansible controller exposes a websocket endpoint at /api/eda/ws/ansible-rulebook that brokers messages between the controller and ansible-rulebook Worker processes. The controller authenticates clients connecting to the socket but does not authorize the contents of inbound Worker messages. A client can therefore impersonate a Worker for an activation it does not own.

When the controller receives a Worker handshake referencing an activation_id, it responds with the secrets required to run that activation. The response includes OAuth tokens used to call the controller API, vault passwords, and SSH private keys associated with the activation's credentials. Because the channel returns plaintext material, captured tokens and keys can be reused directly against managed hosts and upstream APIs.

Root Cause

The root cause is the absence of an authorization check between authentication and message processing on the websocket consumer. The handler trusts the activation_id supplied by the client instead of validating that the connected principal owns or is assigned to that activation. This is a textbook [CWE-862] Missing Authorization defect on a privileged data path.

Attack Vector

The attack vector is network-based and requires only low-privileged authenticated access to the EDA API. An attacker enumerates or guesses valid activation_id values, opens a websocket to /api/eda/ws/ansible-rulebook, and sends a forged Worker Startup message. The server returns activation secrets, which the attacker can use to access source control systems, cloud providers, and managed endpoints reachable by the harvested credentials. See the Red Hat CVE analysis for CVE-2026-11807 for protocol-level detail.

Detection Methods for CVE-2026-11807

Indicators of Compromise

  • Websocket connections to /api/eda/ws/ansible-rulebook originating from user accounts that are not assigned to the referenced activation.
  • Multiple Worker Startup messages from a single session referencing distinct activation_id values in rapid succession.
  • Use of OAuth tokens, vault passwords, or SSH keys from source IPs or sessions that do not match prior activation execution patterns.

Detection Strategies

  • Correlate EDA controller access logs with activation ownership to flag websocket sessions that request secrets for activations the authenticated user does not own.
  • Alert on enumeration patterns against the /api/eda/ws/ansible-rulebook endpoint, especially sequential or scripted activation_id values.
  • Monitor downstream use of activation credentials and flag credential reuse from hosts that are not registered EDA Workers.

Monitoring Recommendations

  • Forward EDA controller, gateway, and reverse-proxy logs to a centralized analytics platform and retain websocket frame metadata.
  • Track OAuth token issuance and consumption to detect tokens used outside their expected automation context.
  • Inventory SSH and vault credentials bound to activations so that exposure can be scoped quickly if a forged Worker session is observed.

How to Mitigate CVE-2026-11807

Immediate Actions Required

  • Apply the Red Hat updates from RHSA-2026:28376, RHSA-2026:28377, RHSA-2026:28492, and RHSA-2026:28497 to affected Ansible Automation Platform installations.
  • Rotate every OAuth token, vault password, and SSH key associated with EDA activations, treating prior values as exposed.
  • Review EDA audit logs for prior connections to /api/eda/ws/ansible-rulebook that cannot be tied to legitimate Worker hosts.
  • Restrict EDA API access to trusted networks and tighten user account provisioning until patching is complete.

Patch Information

Red Hat has shipped fixed packages through advisories RHSA-2026:28376, RHSA-2026:28377, RHSA-2026:28492, and RHSA-2026:28497. Refer to the Red Hat CVE record for CVE-2026-11807 and Red Hat Bugzilla #2487036 for component versions and tracking status.

Workarounds

  • Limit EDA controller accounts to the minimum set of operators required, since exploitation requires authenticated access.
  • Place the EDA API behind network segmentation or a reverse proxy that restricts websocket access to known Worker hosts until patches are applied.
  • Reduce the secret material bound to each activation by scoping credentials to the smallest target inventory possible.
bash
# Example: restrict access to the EDA websocket endpoint at the reverse proxy
# (illustrative NGINX snippet - adapt to your deployment)
location /api/eda/ws/ansible-rulebook {
    allow 10.10.20.0/24;   # EDA Worker subnet
    deny  all;
    proxy_pass http://eda-controller-upstream;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.