HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11837Published Modified CNA redhat

CVE-2026-11837: Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
Affected Products
6

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability exists in the ansible.posix authorized_key module, part of the ansible-collection-ansible-posix package on Red Hat Enterprise Linux and Red Hat OpenStack Platform. The module's keyfile() function calls os.chown() instead of os.lchown() and opens files without the O_NOFOLLOW flag, allowing a low-privileged local user to pre-stage symbolic links in their ~/.ssh directory. When an operator runs the authorized_key task as root, the attacker redirects ownership changes to arbitrary system paths, gaining full local privilege escalation. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-11837 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle ansible-collection-ansible-posix.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.3 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing, directing findings to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the upstream Red Hat advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix ships. For customers who opt into auto-remediation, that rebuild will trigger a regression run and a pull request opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker only needs a normal user session to pre-stage the symlink before the privileged Ansible task runs.

  • Victim interactionRequired

    An operator (or automated process) must execute the authorized_key Ansible task as root, making the attack dependent on that privileged action occurring.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental factors beyond the symlink being in place before the task runs.

Blast Radius

  • Reads files owned by root or other privileged system users after redirecting chown, exposing sensitive credentials, keys, or configuration.
  • Modifies ownership of arbitrary system paths such as /etc/passwd or /etc/shadow, enabling the attacker to write to those files and alter authentication configuration.
  • Gains effective root-level access on the affected host, allowing installation of backdoors or further lateral movement within the environment.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Red Hat advisory for CVE-2026-11837 is active across every environment scanning images that include ansible-collection-ansible-posix. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on each ingest cycle and will trigger a patched-image rebuild automatically the moment Red Hat publishes a corrected package. For customers who opt into auto-remediation, the rebuild will be followed by a regression test run and a pull request opened against affected workloads. In the meantime, compensating controls worth considering include restricting which service accounts can execute Ansible playbooks as root, applying network-policy isolation to hosts where the authorized_key module runs to limit the blast radius of a compromised session, and auditing ~/.ssh directories on managed hosts for unexpected symbolic links as a detective measure.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat OpenStack Platform 17.1
  • Red Hat / Red Hat OpenStack Platform 18.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References