7.8
CVE-2026-11332
- EPSS 0.16%
- Veröffentlicht 05.06.2026 08:21:43
- Zuletzt bearbeitet 30.06.2026 03:17:08
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
≫
Produkt
Red Hat Ansible Automation Platform 2
Default Statusaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.052 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
https://access.redhat.com/security/cve/CVE-2026-11332
https://bugzilla.redhat.com/show_bug.cgi?id=2485379
https://github.com/ansible/ansible
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11332.json