This vulnerability arises from a missing authorization check in the Event-Driven Ansible websocket API endpoint /api/eda/ws/ansible-rulebook in Red Hat Ansible Automation Platform 2.5. Authenticated users can exploit this flaw by sending crafted Worker messages with arbitrary activation_id values to retrieve sensitive plaintext credentials associated with those activations. The exposed credentials include OAuth tokens, vault passwords, and SSH keys, which can lead to a complete compromise of confidentiality and integrity within the affected environment. Red Hat has issued critical security advisories (RHSA-2026:28497 for 2.5 and RHSA-2026:28492 for 2.6) providing updates that fix this vulnerability.

The vulnerability allows any authenticated user to bypass authorization controls and obtain highly sensitive plaintext credentials, including OAuth tokens, vault passwords, and SSH keys. This results in a critical impact on confidentiality and integrity, enabling potential unauthorized access and control over automated processes and systems managed by the Ansible Automation Platform. The CVSS v3.1 base score is 9.6, reflecting the critical severity and the network attack vector with low complexity and no user interaction required.

Red Hat has released official security updates addressing CVE-2026-11807 in Red Hat Ansible Automation Platform versions 2.5 and 2.6. Users should apply these updates promptly to remediate the vulnerability. Before applying the update, ensure all previously released errata relevant to your system are applied. Refer to the official Red Hat advisories RHSA-2026:28497 (for 2.5) and RHSA-2026:28492 (for 2.6) and the upgrade documentation for detailed instructions. No alternative mitigations or workarounds are specified in the advisory.