Description
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Published: 2026-06-05
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w8p5-mx5w-cpqj ansible-core: Argument injection in ansible-galaxy role install leads to arbitrary code execution
History

Fri, 10 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat acm
Redhat ansible Portal
Redhat discovery
Redhat enterprise Linux
Redhat migration Toolkit Applications
Redhat migration Toolkit Virtualization
Redhat openshift
Redhat satellite
Redhat service Mesh
Redhat stf
CPEs cpe:/a:redhat:acm:2
cpe:/a:redhat:ansible_core:2
cpe:/a:redhat:ansible_portal:2
cpe:/a:redhat:discovery:2::el9
cpe:/a:redhat:migration_toolkit_applications:8
cpe:/a:redhat:migration_toolkit_virtualization:2
cpe:/a:redhat:openshift:4
cpe:/a:redhat:satellite:6
cpe:/a:redhat:service_mesh:3
cpe:/a:redhat:stf:1.5
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat acm
Redhat ansible Portal
Redhat discovery
Redhat enterprise Linux
Redhat migration Toolkit Applications
Redhat migration Toolkit Virtualization
Redhat openshift
Redhat satellite
Redhat service Mesh
Redhat stf

Sun, 07 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ansible Core
Vendors & Products Redhat ansible Core

Fri, 05 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 05 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 05 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Title Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-88
CPEs cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Acm Ansible Automation Platform Ansible Core Ansible Portal Discovery Enterprise Linux Migration Toolkit Applications Migration Toolkit Virtualization Openshift Satellite Service Mesh Stf
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T02:45:49.969Z

Reserved: 2026-06-05T07:58:25.632Z

Link: CVE-2026-11332

cve-icon Vulnrichment

Updated: 2026-07-15T02:45:49.969Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T09:16:26.070

Modified: 2026-06-05T14:56:14.030

Link: CVE-2026-11332

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-05T07:12:55Z

Links: CVE-2026-11332 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:00:11Z

Weaknesses