CVE-2026-11807
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
Risk Assessment
The risk involves potential theft of sensitive credentials (OAuth tokens, passwords, SSH keys) by any authenticated user, which could lead to unauthorized access to systems and data.
Recommendation
Immediately implement user permission verification for the WebSocket endpoint and restrict access only to trusted Workers. Updating to the latest EDA version with the fix is recommended.
Original NVD description (English source)
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

