CVE Catalog

CVE-2026-12726

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A flaw was found in the AWX GitHub webhook integration. The controller stores the statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint.

Risk Assessment

An attacker can exploit this vulnerability to redirect requests to an attacker-controlled URL, leading to the exfiltration of the configured GitHub access token.

Recommendation

It is recommended to validate URLs in webhooks and avoid using GitHub personal access tokens in job templates that may be exposed to attacks.

Original NVD description (English source)

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS