CVE-2026-12726
Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential
Description
A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.
INFO
Published Date :
June 19, 2026, 6:49 p.m.
Last Modified :
June 19, 2026, 6:49 p.m.
Remotely Exploit :
Yes !
Source :
redhat
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 53f830b8-0a3f-465b-8143-3b8a9948e749 | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Validate webhook URLs against trusted endpoints.
- Restrict webhook credentials usage.
- Update AWX to the latest version.
- Review webhook configurations.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-12726 vulnerability anywhere in the article.