Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-12726 is a vulnerability in the AWX automation controller related to its GitHub webhook integration.

When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint.

If a job template is configured with a GitHub Personal Access Token (PAT) as its webhook credential, the controller later sends this token to the stored callback URL when posting job status updates.

An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can supply a malicious statuses_url, redirecting the callback to an attacker-controlled URL and exfiltrating the configured GitHub PAT.

Exploitation requires knowledge of the per-template webhook shared secret or privileged access to retrieve it, as normal GitHub webhook deliveries do not allow arbitrary contributors to control the statuses_url.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exfiltration of a GitHub Personal Access Token (PAT) configured in the AWX job template.

An attacker who successfully exploits this flaw can redirect job status update callbacks to an attacker-controlled URL, thereby stealing the PAT.

With the stolen PAT, the attacker could potentially gain unauthorized access to GitHub repositories or perform actions permitted by the token, leading to further compromise of source code or CI/CD pipelines.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring webhook payloads for untrusted or unexpected `statuses_url` values in GitHub pull_request webhook requests processed by the AWX controller.

Specifically, you should check if the `statuses_url` stored in job extra variables (such as `awx_webhook_status_api`) points to non-GitHub API endpoints, which could indicate an attempt to redirect the callback URL.

Additionally, reviewing job templates configured with GitHub Personal Access Tokens as webhook credentials and verifying the webhook shared secret usage can help identify potential exploitation.

While no explicit commands are provided in the resources, you can use network monitoring tools (e.g., tcpdump, Wireshark) to capture outgoing POST requests from the AWX controller to callback URLs and verify if they are sent to legitimate GitHub API endpoints.

You may also audit logs or database entries for webhook payloads and job extra variables to detect suspicious `statuses_url` values.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include validating and restricting the `statuses_url` value to trusted GitHub API endpoints before storing and using it as a callback URL.

Ensure that job templates using GitHub Personal Access Tokens as webhook credentials are reviewed and that the webhook shared secret (webhook_key) is kept secure and not exposed.

Limit access to the webhook shared secret to trusted users only, as exploitation requires knowledge of this secret.

Monitor and audit webhook processing code and configurations to prevent acceptance of forged webhooks with malicious `statuses_url` values.

Apply any available patches or updates from the AWX project or your vendor that address this vulnerability.

Useful 0 Not Useful 0