CVE-2026-11332
Ansible-Galaxy Role Install Git Config Injection Flaw
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red_hat | ansible-core | * |
| red_hat | ansible | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11332 is a security vulnerability in ansible-core related to the ansible-galaxy role install command. The command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field.
Specifically, the src and name fields from the requirements.yml file are passed to the git clone command via Python's Popen without a -- separator to distinguish options from positional arguments. This allows an attacker to embed git configuration flags that execute arbitrary commands on the system of any user who installs the malicious role.
The vulnerability enables arbitrary code execution on the target machine during role installation.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on your machine if you install a malicious Ansible role via the ansible-galaxy role install command.
An attacker who crafts a malicious role can inject commands that run with the privileges of the user performing the installation, potentially compromising your system's confidentiality, integrity, and availability.
- Execution of unauthorized commands on your system.
- Potential full system compromise depending on user privileges.
- Loss or corruption of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when installing an ansible-galaxy role that includes a meta/requirements.yml file with malicious dependency specifications in the src field. Detection involves inspecting the requirements.yml files of roles being installed for suspicious or unexpected git configuration flags embedded in the src field.
Since the vulnerability exploits argument injection in the git clone command, you can monitor or audit ansible-galaxy role install commands for unusual git clone invocations or unexpected command executions.
There are no specific detection commands provided in the resources, but a practical approach includes:
- Manually review the meta/requirements.yml files of roles before installation for suspicious src entries containing git configuration flags (e.g., '-c core.sshCommand=sh -c "malicious_command"').
- Use command-line tools like grep to search for suspicious patterns in requirements.yml files, for example: grep -r -- '-c core.sshCommand' /path/to/roles/
- Monitor system logs or audit logs for unexpected executions of shell commands triggered by ansible-galaxy role install.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid installing ansible-galaxy roles from untrusted or unknown sources, especially those that include meta/requirements.yml files.
Ensure that your ansible-core installation is updated with the fix that inserts a '--' separator before positional arguments in the git clone command to prevent argument injection.
If an update is not yet available, manually inspect and sanitize the meta/requirements.yml files of roles before installation to ensure no malicious git configuration flags are present.
Limit the permissions of users who can run ansible-galaxy role install commands to reduce the risk of arbitrary code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ansible-core allows arbitrary code execution on the machine of a user who installs a malicious role via ansible-galaxy role install. This could potentially lead to unauthorized access or manipulation of sensitive data on affected systems.
Such unauthorized code execution and potential data compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.
However, the provided information does not explicitly describe the direct effects on compliance frameworks or specific regulatory impacts.