Executive Summary
A critical missing authorization vulnerability has been disclosed in Red Hat Event-Driven Ansible (EDA), tracked as CVE-2026-11807 with a CVSS v3.1 score of 9.6. The flaw resides in the /api/eda/ws/ansible-rulebook WebSocket endpoint, which fails to verify user permissions before processing Worker messages. Any authenticated user can craft a forged message with an arbitrary activation_id to receive plaintext data intended for privileged activation processes.
Technical Details
Vulnerability Overview
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-11807 |
| CVSS Score | 9.6 (Critical) |
| Vulnerability Type | Missing Authorization (CWE-862) |
| Component | Event-Driven Ansible (EDA) WebSocket API |
| Endpoint | /api/eda/ws/ansible-rulebook |
| Attack Vector | Network |
| Authentication Required | Yes (any authenticated user) |
How the Vulnerability Works
Event-Driven Ansible uses a WebSocket endpoint at /api/eda/ws/ansible-rulebook to facilitate communication between the EDA server and Worker processes. When a Worker connects and sends messages containing an activation_id, the server is expected to validate that the requesting user has authorization to access that specific activation's data.
The flaw: The endpoint does not perform permission checks on the activation_id field in incoming Worker messages. As a result:
- Any authenticated user — regardless of their actual role or permission set — can connect to the WebSocket endpoint.
- By sending a crafted message with an arbitrary
activation_id, they can request data belonging to activations they should not have access to. - The server responds with plaintext activation data, which may include sensitive configuration, credentials, or operational parameters tied to that activation.
Impact
The practical impact of CVE-2026-11807 includes:
- Unauthorized data disclosure: Sensitive information from any EDA activation can be retrieved by a low-privileged user.
- Lateral movement potential: Activation data may contain environment variables, API tokens, webhook secrets, or infrastructure details that enable further compromise.
- Integrity risk: Depending on the EDA environment, forged Worker messages could interfere with legitimate activation workflows.
This is a horizontal privilege escalation issue — a user with any level of EDA access can elevate their effective data access to the level of any other activation in the system.
Affected Products
- Red Hat Event-Driven Ansible (EDA) — all versions exposing the
/api/eda/ws/ansible-rulebookWebSocket endpoint. - Installations behind authenticated proxies are still vulnerable if the underlying EDA service exposes the endpoint.
Recommended Actions
Immediate Steps
- Apply vendor patches as soon as Red Hat issues a fix. Monitor Red Hat Security Advisories for the corresponding RHSA.
- Restrict access to the EDA WebSocket endpoint at the network layer — limit connectivity to trusted Worker hosts only using firewall rules or network segmentation.
- Audit EDA user accounts and remove any accounts that should not have EDA access. Reduce the authenticated user base to the minimum necessary.
- Review activation data to assess what sensitive values (credentials, tokens, secrets) are stored in EDA activations and rotate any that may have been exposed.
Detection Guidance
Look for unusual WebSocket connections to /api/eda/ws/ansible-rulebook from unexpected source IPs or user accounts in EDA server logs. Legitimate Worker connections should originate from known Worker hosts only — any other authenticated client connecting to this endpoint is anomalous.
# Example: grep EDA access logs for WebSocket connections
grep "ansible-rulebook" /var/log/eda/eda-server.log | grep -v "known-worker-ip"Context: Event-Driven Ansible
Event-Driven Ansible (EDA) is a Red Hat automation component that enables event-driven IT workflows — triggering Ansible playbooks and rulebooks in response to events from monitoring tools, webhooks, and other sources. EDA is widely used in enterprise environments for automated remediation, incident response automation, and infrastructure event handling.
Because EDA activations frequently handle sensitive operational data (API keys, webhook tokens, service credentials), a missing authorization flaw in its core communication layer carries significant risk in production deployments.
Summary
CVE-2026-11807 is a straightforward but high-impact missing authorization bug: any authenticated EDA user can access plaintext data from any activation by sending a forged WebSocket message. The CVSS 9.6 score reflects the combination of network accessibility, low attack complexity, no user interaction required, and the high potential impact on confidentiality. Organizations running Event-Driven Ansible should treat this as priority patching and immediately restrict WebSocket endpoint access while awaiting Red Hat's patch.