EUVD-2026-38598

🗓️ 23 Jun 2026 19:40:33Reported by EUVDType

Missing authorization in Event-Driven Ansible websocket API allows any authenticated user to obtain plaintext credentials via forged activation_id.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-11807	23 Jun 202619:40	–	attackerkb
Circl	CVE-2026-11807	24 Jun 202600:00	–	circl
CVE	CVE-2026-11807	23 Jun 202619:40	–	cve
Cvelist	CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing	23 Jun 202619:40	–	cvelist
NVD	CVE-2026-11807	23 Jun 202621:16	–	nvd
Positive Technologies	PT-2026-51585	23 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-11807	23 Jun 202619:40	–	redhatcve
RedHat Linux	Critical: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Container Release Update	23 Jun 202619:16	–	redhat
RedHat Linux	Critical: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.5 Container Release Update	23 Jun 202619:39	–	redhat

[
  {
    "enisaIdVendor": [
      {
        "id": "285f2659-a6a1-36da-a0be-dbb61058859e",
        "vendor": {
          "name": "Red Hat"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "7a8a3814-fe0e-3559-bf82-4251654e1e03",
        "product": {
          "name": "Red Hat Ansible Automation Platform 2.6",
          "vendor": {
            "name": "Red Hat"
          }
        },
        "product_version": "patch: 1781732675"
      },
      {
        "id": "faeb1908-d659-30ca-a680-ca52e676e74d",
        "product": {
          "name": "Red Hat Ansible Automation Platform 2.5",
          "vendor": {
            "name": "Red Hat"
          }
        },
        "product_version": "patch: 1781741251"
      }
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2026:28492
access	www.access.redhat.com/errata/RHSA-2026:28497
access	www.access.redhat.com/security/cve/CVE-2026-11807
bugzilla	www.bugzilla.redhat.com/show_bug.cgi

23 Jun 2026 19:43Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.19.6