{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12726", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-19T15:05:52.078Z", "datePublished": "2026-06-19T18:49:55.376Z", "dateUpdated": "2026-06-22T17:08:43.067Z"}, "containers": {"cna": {"title": "Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-automation-platform-26/controller-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-automation-platform-27/controller-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "automation-controller", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-12726", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490796", "name": "RHBZ#2490796", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-19T14:40:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)", "workarounds": [{"lang": "en", "value": "The following practices may reduce exposure to this flaw until a fix is available:\n1. Restrict network access to controller webhook endpoints so only trusted GitHub egress IPs or an approved reverse proxy can reach them.\n2. Protect job template webhook keys as secrets; restrict Job Template admin access; rotate webhook keys if compromise is suspected.\n3. If commit status callback to GitHub is not required, configure GitHub webhooks without a webhook_credential on the job template (this disables PAT transmission on job completion).\n4. Monitor controller logs and outbound connections for unexpected callback destinations following webhook-triggered jobs."}], "timeline": [{"lang": "en", "time": "2026-04-24T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-19T14:40:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Martin Brodeur (FluentLogic) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-19T18:49:55.376Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T17:08:33.221112Z", "id": "CVE-2026-12726", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T17:08:43.067Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12726", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-22T17:08:33.221112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T17:08:39.586Z"}}], "cna": {"title": "Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential", "credits": [{"lang": "en", "value": "Red Hat would like to thank Martin Brodeur (FluentLogic) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "ansible-automation-platform-26/controller-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "ansible-automation-platform-27/controller-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "automation-controller", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-04-24T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-19T14:40:00.000Z", "value": "Made public."}], "datePublic": "2026-06-19T14:40:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-12726", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490796", "name": "RHBZ#2490796", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "The following practices may reduce exposure to this flaw until a fix is available:\n1. Restrict network access to controller webhook endpoints so only trusted GitHub egress IPs or an approved reverse proxy can reach them.\n2. Protect job template webhook keys as secrets; restrict Job Template admin access; rotate webhook keys if compromise is suspected.\n3. If commit status callback to GitHub is not required, configure GitHub webhooks without a webhook_credential on the job template (this disables PAT transmission on job completion).\n4. Monitor controller logs and outbound connections for unexpected callback destinations following webhook-triggered jobs."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-19T18:49:55.376Z"}, "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)"}}, "cveMetadata": {"cveId": "CVE-2026-12726", "state": "PUBLISHED", "dateUpdated": "2026-06-22T17:08:43.067Z", "dateReserved": "2026-06-19T15:05:52.078Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-06-19T18:49:55.376Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{}

{"acknowledgement": "Red Hat would like to thank Martin Brodeur (FluentLogic) for reporting this issue.", "bugzilla": {"description": "awx: automation-controller: awx: GitHub webhook second-order SSRF via unvalidated statuses_url exfiltrates PAT credential", "id": "2490796", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490796"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT."], "mitigation": {"lang": "en:us", "value": "The following practices may reduce exposure to this flaw until a fix is available:\n1. Restrict network access to controller webhook endpoints so only trusted GitHub egress IPs or an approved reverse proxy can reach them.\n2. Protect job template webhook keys as secrets; restrict Job Template admin access; rotate webhook keys if compromise is suspected.\n3. If commit status callback to GitHub is not required, configure GitHub webhooks without a webhook_credential on the job template (this disables PAT transmission on job completion).\n4. Monitor controller logs and outbound connections for unexpected callback destinations following webhook-triggered jobs."}, "name": "CVE-2026-12726", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-27/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2026-06-19T14:40:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-12726\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-12726"], "statement": "Red Hat rates this issue as Moderate impact. This flaw affects AWX controller deployments that enable GitHub webhooks with status callback configured (webhook_service=github and a GitHub Personal Access Token configured as webhook_credential on the job template).\nThe controller intentionally uses the configured GitHub PAT to post commit status updates back to GitHub; however, it fails to restrict the callback destination to trusted GitHub API endpoints. When a forged webhook with a valid HMAC signature supplies a malicious statuses_url, the PAT may be sent to an attacker-controlled URL on job completion.\nExploitation requires knowledge of the per-job-template webhook_key used to validate incoming webhook requests. This secret is not controllable by arbitrary GitHub contributors through normal GitHub webhook delivery; it must be obtained through privileged access to the automation controller or compromise/disclosure of the configured shared secret. Additional preconditions include network reachability to the webhook endpoint and network reachability from the controller to the attacker-specified callback URL.\nAWX is typically deployed as internal infrastructure management tooling, which may limit practical exposure in many environments, but does not eliminate the issue where GitHub webhook integration with status callback is enabled.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Red Hat Ansible Automation Platform 2", "source": "cna", "vendor": "Red Hat"}, "product": "ansible_automation_platform", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "awx", "vendor": "redhat"}], "created": "2026-06-19T21:00:04.912943+00:00", "updated": "2026-06-24T20:41:38.914107+00:00", "vendors": ["redhat", "redhat$PRODUCT$ansible_automation_platform", "redhat$PRODUCT$awx"]}