HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11332Published Modified CNA redhat

CVE-2026-11332: Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Argument injection in ansible-core's ansible-galaxy role install command allows a malicious role author to embed crafted git configuration flags inside a role's meta/requirements.yml file. The vulnerability is reached locally when a user runs ansible-galaxy role install, and requires the user to interact with a malicious role (for example, by installing it from a public or compromised source). Successful exploitation gives the attacker full code execution on the machine running the install command. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from Red Hat and upstream NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ansible-core or the Ansible Automation Platform. No manual scan trigger is required.

Available
Triage

HarborGuard scores this finding at CVSS 7.8 HIGH and is capable of weighting it further against each environment's compliance policy before routing it to the appropriate team inbox inside the customer org.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without any manual steps.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker does not need network access to the victim machine; they need an existing shell or process on the host, or the victim must pull and install a role the attacker controls.

  • AuthenticationNot required

    No account or credentials on the target machine are required; any user capable of running ansible-galaxy is sufficient.

  • Victim interactionRequired

    The victim must actively run ansible-galaxy role install against a role that contains the malicious meta/requirements.yml, making this a social-engineering or supply-chain vector.

  • Attack complexityDetail

    Attack complexity is low: the injected arguments are processed deterministically with no race conditions or special memory-layout requirements needed.

Blast Radius

  • Reads files and secrets accessible to the user running ansible-galaxy, including SSH keys, vault passwords, and environment variables.
  • Writes or modifies files on the local filesystem under the permissions of the installing user.
  • Executes arbitrary commands on the developer or CI machine performing the role install, enabling full host compromise at the privilege level of that user.
  • Compromises CI/CD pipeline runners that automate role installation, potentially propagating malicious changes into production infrastructure.

How HarborGuard Handles This

Available on HarborGuard: images containing ansible-core or any Red Hat Ansible Automation Platform 2 package are flagged against this CVE as soon as they enter a customer registry or pipeline build. Because no fix version exists upstream yet, HarborGuard monitors the Red Hat advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a fix is published; customers with auto-remediation enabled will then receive a rebuilt image, a regression-test run, and a PR opened against affected workloads with no manual steps required. In the meantime, compensating controls worth considering include restricting ansible-galaxy role install to a curated, internally mirrored role repository, enforcing network-policy isolation on CI runner containers so outbound git traffic is limited to approved hosts, and requiring role content reviews before installation in automated pipelines. HarborGuard will surface the availability of an upstream patch without any action needed from the customer.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Ansible Automation Platform 2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References