HIGH 7.8
GHSA-w8p5-mx5w-cpqj
ansible-core: Argument injection in ansible-galaxy role install leads to arbitrary code execution
Details
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / ansible-core
Introduced in:
0 Fixed in: 2.16.19rc1 Fix
pip install --upgrade 'ansible-core>=2.16.19rc1' PyPI / ansible-core
Introduced in:
2.17.0b1 Fixed in: 2.18.18rc1 Fix
pip install --upgrade 'ansible-core>=2.18.18rc1' PyPI / ansible-core
Introduced in:
2.19.0b1 Fixed in: 2.19.11rc1 Fix
pip install --upgrade 'ansible-core>=2.19.11rc1' PyPI / ansible-core
Introduced in:
2.20.0b1 Fixed in: 2.20.7rc1 Fix
pip install --upgrade 'ansible-core>=2.20.7rc1' PyPI / ansible-core
Introduced in:
2.21.0b1 Fixed in: 2.21.1rc1 Fix
pip install --upgrade 'ansible-core>=2.21.1rc1' References
- https://nvd.nist.gov/vuln/detail/CVE-2026-11332 [ADVISORY]
- https://github.com/ansible/ansible/pull/87070 [WEB]
- https://github.com/ansible/ansible/commit/edee59aa15abcc74d920bb3e9c3835ab8db05a2f [WEB]
- https://access.redhat.com/security/cve/CVE-2026-11332 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2485379 [WEB]
- https://github.com/ansible/ansible [PACKAGE]
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11332.json [WEB]