A critical flaw in Red Hat Ansible Automation Platform's Event-Driven Ansible websocket API lets any authenticated user retrieve plaintext credentials—OAuth tokens, vault passwords, and SSH keys—belonging to other automation activations.
What Is It
CVE-2026-11807 is a missing authorization vulnerability (CWE-862) in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. As a result, any authenticated user can send a forged message containing an arbitrary activation_id and receive the plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
The flaw carries a CVSS 3.1 base score of 9.6 (Critical), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. The network attack vector, low complexity, and low privilege requirement make exploitation straightforward for anyone with an authenticated account, and the changed scope reflects credential disclosure that extends beyond the EDA component itself.
Why It Matters
The disclosed secrets—SSH keys, vault passwords, and OAuth tokens—are exactly the credentials that grant control over downstream systems an automation platform manages. An attacker harvesting them can pivot well beyond Ansible itself, which is reflected in the high confidentiality and integrity impact ratings. Because only a low-privilege authenticated account is required and no user interaction is involved, the barrier to abuse is minimal.
What's Vulnerable
The vulnerability affects Red Hat Ansible Automation Platform:
- Ansible Automation Platform 2.5:
eda-controller-rhel8(el8) - Ansible Automation Platform 2.6:
eda-controller-rhel9(el9)
Both are flagged as affected by default, with fixed RPM builds marked unaffected. The status for the broader automation-eda-controller package in Ansible Automation Platform 2 is listed as unknown.
Patch Status
Red Hat has published fixes via security advisories RHSA-2026:28492 and RHSA-2026:28497. Administrators should update affected EDA controller packages to the fixed versions referenced in those advisories. This CVE is not listed in the CISA KEV catalog, and no confirmed active exploitation is reported in the supplied source material.