Event-Driven Ansible Flaw Exposes Credentials (CVSS 9.6)

Critical Event-Driven Ansible Flaw Leaks Stored Credentials

Do Son June 26, 2026 2 minutes read

At a glance

CVE: CVE-2026-11807
CVSS: 9.6 (Critical · CVSSv3)
Product: Red Hat Ansible Automation Platform 2.5 for RHEL 8
Impact: Eda-server: websocket missing authorization allows credential theft via activation_id spoofing
Status: No confirmed exploitation yet
Patched in: 0:1.1.19-1.el8ap, 0:1.1.19-1.el9ap, 0:1.2.9-2.el9ap, 1781741251 (+1 more)
EPSS: 0.4% (30-day)
Action: Update to 0:1.1.19-1.el8ap, 0:1.1.19-1.el9ap, 0:1.2.9-2.el9ap, 1781741251 (+1 more) now

TL;DR

Red Hat disclosed a critical Event-Driven Ansible flaw tracked as CVE-2026-11807. It scores 9.6 on CVSS and leaks stored secrets. Any authenticated user can pull credentials they should never see.

Why It Matters

Event-Driven Ansible automates responses across IT systems. Operations teams run it to react to alerts at scale. To do that, it stores powerful secrets. This flaw exposes OAuth tokens, vault passwords, and SSH keys. With those, an attacker could move deeper into the network. A single leaked SSH key could unlock many managed hosts. So the credential disclosure threatens far more than one server.

How the Attack Works

The bug sits in the Event-Driven Ansible websocket API. Red Hat classes it as a missing authorization issue. One endpoint skips a permission check on Worker messages. So any logged-in user can forge a request. They then supply an arbitrary activation ID. The server returns the plaintext credentials tied to that activation. This credential disclosure needs no admin rights or user interaction.

Affected Versions

The flaw affects Red Hat Ansible Automation Platform 2.5 and 2.6. Both ship the vulnerable Event-Driven Ansible component. Earlier builds stay exposed until patched.

Exploitation Status

Red Hat reports no active exploitation of this flaw. Likewise, no public proof-of-concept has surfaced yet.

Patch and Mitigation

Red Hat has released fixes for both versions. Apply the 2.5 and 2.6 security updates now. That step closes this Event-Driven Ansible flaw. Until you patch, restrict network access to the websocket endpoint. Also review and limit accounts that can authenticate to the platform. Afterward, rotate any exposed tokens, passwords, and keys.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Critical Alert 2 Active Exploits Detected Today

Leave a Reply Cancel reply