websocket missing authorization allows credential theft via activation_id spoofing
Summary
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys. A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys. Red Hat severity: Critical — CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). Weakness: CWE-862. Fixed by RHSA-2026:28376, RHSA-2026:28377, RHSA-2026:28497, RHSA-2026:28492 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Ansible Automation Platform 2.5 for RHEL 8; Red Hat Ansible Automation Platform 2.5 for RHEL 9; Red Hat Ansible Automation Platform 2.6 for RHEL 9; Red Hat Ansible Automation Platform 2.5; Red Hat Ansible Automation Platform 2.6.
- automation-eda-controller-0:1.2.9-2.el9ap
- ansible-automation-platform-26/eda-controller-rhel9:1781732675
- automation-eda-controller-0:1.1.19-1.el8ap
- ansible-automation-platform-25/eda-controller-rhel8:1781741251
- automation-eda-controller-0:1.1.19-1.el9ap
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- automation-eda-controller-0:1.1.19-1.el8ap
- automation-eda-controller-0:1.1.19-1.el9ap
- automation-eda-controller-0:1.2.9-2.el9ap
- ansible-automation-platform-25/eda-controller-rhel8:1781741251
- ansible-automation-platform-26/eda-controller-rhel9:1781732675
- RHSA-2026:28376
- RHSA-2026:28377
- RHSA-2026:28497
- RHSA-2026:28492
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- The following practices would help for reducing or avoiding the exposure to this flaw: 1) Restrict network access to the EDA websocket endpoint. 2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.