SecuriTricks - CVE-2026-12726

Description

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.

Product(s) Impacted

Vendor	Product	Versions
Redhat	Awx	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	redhat	awx	/	/	/	/	/	/	/	/

References

https://access.redhat.com/security/cve/CVE-2026-12726

https://bugzilla.redhat.com/show_bug.cgi?id=2490796

CVSS Score

6.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

View Vector String

Timeline

Published: June 19, 2026, 7:16 p.m.
Last Modified: June 19, 2026, 7:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-12726