CVE-2026-12398
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in Galaxy NG Legacy Role Import API

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Red Hat, Inc.

Description
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-12398
EUVD
EUVD-2026-37124
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12398 is a command injection vulnerability in the galaxy_ng component, specifically in the legacy role import API (v1). The vulnerability occurs because the do_git_checkout() function constructs shell commands using unsanitized git reference names (such as branch or tag names) that can contain shell metacharacters. These commands are executed with subprocess.run() using shell=True, which allows an authenticated user who controls a git repository to inject malicious shell commands.

This means that if the GALAXY_ENABLE_LEGACY_ROLES setting is enabled (which is not the default), an attacker can create a branch or tag with specially crafted names containing shell metacharacters to execute arbitrary code remotely on the pulp worker process.

Impact Analysis

This vulnerability can lead to remote code execution on the pulp worker process, which means an attacker with authenticated access and control over a git repository can execute arbitrary commands on the affected system.

Such an impact can compromise the confidentiality, integrity, and availability of the system, potentially allowing the attacker to take full control, access sensitive data, disrupt services, or use the system as a pivot point for further attacks.

However, the risk is limited to deployments where the GALAXY_ENABLE_LEGACY_ROLES setting is explicitly enabled, as the vulnerable endpoint is not registered by default.

Detection Guidance

This vulnerability involves command injection through unsanitized git ref names in the legacy role import API of galaxy_ng when GALAXY_ENABLE_LEGACY_ROLES is enabled.

Detection would involve checking if the GALAXY_ENABLE_LEGACY_ROLES setting is enabled, as the vulnerable endpoint is only reachable in that case.

Additionally, monitoring for unusual git branch or tag names containing shell metacharacters (such as ;, |, $(), &, >) in repositories used by the system could indicate exploitation attempts.

Since the vulnerability is triggered by authenticated users controlling git repositories, reviewing logs for git operations involving suspicious ref names may help detect exploitation.

No specific commands for detection are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to ensure that the GALAXY_ENABLE_LEGACY_ROLES setting is disabled, as the vulnerable endpoint is only registered when this setting is enabled.

Since the default configuration disables legacy roles, avoiding enabling this feature prevents exposure to the vulnerability.

Additionally, avoid using or importing roles from git repositories that contain branch or tag names with shell metacharacters.

Review and restrict authenticated user permissions to prevent creation of malicious git references.

Monitor for updates or patches from the vendor addressing this vulnerability and apply them promptly.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart