Fedora Account System
Red Hat Associate
Red Hat Customer
A missing authorization vulnerability was found in EDA (Event-Driven Ansible). The websocket endpoint at /api/eda/ws/ansible-rulebook does not verify that the authenticated user has permission to access the specified activation. The handle_workers() method in consumers.py performs a direct database lookup by activation_id without permission filtering. Any authenticated user, even with zero EDA permissions, can send a forged Worker message with any activation_id and receive plaintext credentials including AAP Controller OAuth tokens, vault passwords, SSH private keys, and TLS certificates.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.6 for RHEL 9 Via RHSA-2026:28377 https://access.redhat.com/errata/RHSA-2026:28377
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 9 Red Hat Ansible Automation Platform 2.5 for RHEL 8 Via RHSA-2026:28376 https://access.redhat.com/errata/RHSA-2026:28376