CVE-2026-11837
Received Received - Intake
Privilege Escalation in Ansible.posix Authorized Key Module

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-11837
EUVD
EUVD-2026-35982
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat ansible_collection_ansible_posix *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ansible.posix authorized_key module, specifically in its keyfile() function. The function improperly uses os.chown() instead of os.lchown() and opens files without the O_NOFOLLOW flag, which means it does not safely handle symbolic links.

An unprivileged local user can create symbolic links in their ~/.ssh directory that point to arbitrary system files or directories. When a privileged operator runs the authorized_key task as root, the module follows these symbolic links and changes ownership of the linked files or directories to the unprivileged user. This behavior allows the unprivileged user to escalate their privileges locally.

Impact Analysis

The vulnerability can lead to local privilege escalation, meaning an unprivileged user on the system could gain higher privileges, potentially root-level access.

This can compromise system security by allowing unauthorized access to sensitive files or system functions, potentially leading to further exploitation or system compromise.

Detection Guidance

This vulnerability involves the ansible.posix authorized_key module improperly handling symbolic links in the ~/.ssh directory when run as root. Detection involves checking for the presence of symbolic links in users' ~/.ssh directories that could be exploited.

  • Use the command `find ~/.ssh -type l` to identify symbolic links in the SSH directory.
  • Audit Ansible playbooks or tasks that use the authorized_key module to see if they are run with elevated privileges.
  • Check file ownership changes in sensitive system paths that could indicate exploitation.
Mitigation Strategies

To mitigate this vulnerability, avoid running the ansible.posix authorized_key module as root on systems where unprivileged users can create symbolic links in their ~/.ssh directories.

Ensure that the authorized_key module is updated to a version that fixes the issue by using os.lchown() and opening files with O_NOFOLLOW to prevent following symbolic links.

As a temporary workaround, remove or restrict symbolic links in users' ~/.ssh directories to prevent exploitation.

Audit and monitor file ownership changes on critical system paths to detect any unauthorized modifications.

Compliance Impact

The provided information does not specify how this local privilege escalation vulnerability in the ansible.posix authorized_key module impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart