A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Red Hat Red Hat Ansible Automation Platform 2 affected
Red Hat Red Hat Ansible Automation Platform 2 affected
Red Hat Red Hat Ansible Automation Platform 2 affected

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors Products
Redhat Subscribe
Ansible Automation Platform Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

The following practices may reduce exposure to this flaw until a fix is available: 1. Restrict network access to controller webhook endpoints so only trusted GitHub egress IPs or an approved reverse proxy can reach them. 2. Protect job template webhook keys as secrets; restrict Job Template admin access; rotate webhook keys if compromise is suspected. 3. If commit status callback to GitHub is not required, configure GitHub webhooks without a webhook_credential on the job template (this disables PAT transmission on job completion). 4. Monitor controller logs and outbound connections for unexpected callback destinations following webhook-triggered jobs.

References
Link Providers
https://access.redhat.com/security/cve/CVE-2026-12726 cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2490796 cve-icon
History

Fri, 19 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.
Title Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-918
CPEs cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-19T18:49:55.376Z

Reserved: 2026-06-19T15:05:52.078Z

Link: CVE-2026-12726

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:00:04Z

Weaknesses