A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat acm
Redhat ansible Portal Redhat discovery Redhat enterprise Linux Redhat migration Toolkit Applications Redhat migration Toolkit Virtualization Redhat openshift Redhat satellite Redhat service Mesh Redhat stf |
|
| CPEs | cpe:/a:redhat:acm:2 cpe:/a:redhat:ansible_core:2 cpe:/a:redhat:ansible_portal:2 cpe:/a:redhat:discovery:2::el9 cpe:/a:redhat:migration_toolkit_applications:8 cpe:/a:redhat:migration_toolkit_virtualization:2 cpe:/a:redhat:openshift:4 cpe:/a:redhat:satellite:6 cpe:/a:redhat:service_mesh:3 cpe:/a:redhat:stf:1.5 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9 |
|
| Vendors & Products |
Redhat acm
Redhat ansible Portal Redhat discovery Redhat enterprise Linux Redhat migration Toolkit Applications Redhat migration Toolkit Virtualization Redhat openshift Redhat satellite Redhat service Mesh Redhat stf |
Sun, 07 Jun 2026 11:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat ansible Core
|
|
| Vendors & Products |
Redhat ansible Core
|
Fri, 05 Jun 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 05 Jun 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Fri, 05 Jun 2026 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install. | |
| Title | Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution | |
| First Time appeared |
Redhat
Redhat ansible Automation Platform |
|
| Weaknesses | CWE-88 | |
| CPEs | cpe:/a:redhat:ansible_automation_platform:2 | |
| Vendors & Products |
Redhat
Redhat ansible Automation Platform |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: redhat
Published: 2026-06-05T08:21:43.027Z
Updated: 2026-07-13T12:05:08.943Z
Reserved: 2026-06-05T07:58:25.632Z
Link: CVE-2026-11332
Updated: 2026-07-13T12:05:08.943Z
Status : Awaiting Analysis
Published: 2026-06-05T09:16:26.070
Modified: 2026-06-05T14:56:14.030
Link: CVE-2026-11332