Skip to main content

Ansible Core CVE-2026-11332

| EUVD-2026-34791 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-05 secalert@redhat.com GHSA-w8p5-mx5w-cpqj
RCE Red Hat Suse
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 09:31 vuln.today

DescriptionCVE.org

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Articles & Coverage 1

medium.com CVE-2026-11332: Argument Injection in Ansible Leads to Remote Code Execution Jun 05, 2026

AnalysisAI

Arbitrary code execution in ansible-core's ansible-galaxy role install command allows malicious role authors to execute code on a victim's machine when the victim installs the role. The flaw stems from improper neutralization of argument delimiters (CWE-88) in the src field of meta/requirements.yml, allowing injection of arbitrary git configuration flags. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish malicious role with crafted requirements.yml
Delivery
Victim runs ansible-galaxy role install
Exploit
ansible-galaxy parses src dependency field
Execution
Injected git flags passed to git subprocess
Persist
Git executes attacker-controlled command
Impact
Code runs as installing user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation A victim must voluntarily run ansible-galaxy role install (UI:R) against a role authored or controlled by the attacker, and that role's meta/requirements.yml must declare a dependency whose src field carries the injected git argument delimiters; the malicious payload is processed locally (AV:L) during dependency resolution, so it cannot be triggered by network-only access to a target. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 7.8 (High) and accurately reflects the threat model: exploitation occurs locally on the victim's workstation or CI runner at the moment they choose to install a tainted role, with no authentication on the target but mandatory user interaction (the install action). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or compromises an Ansible role on Galaxy (or a git host) whose meta/requirements.yml contains a transitive dependency with a src value that smuggles malicious git flags. When a developer or CI pipeline runs ansible-galaxy role install against the parent role, ansible-galaxy invokes git with the attacker-controlled arguments and executes arbitrary commands as the user running the install. …
Remediation No vendor-released patch identified at time of analysis from the provided data - monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11332 and the upstream ansible/ansible repository for a fixed release and upgrade ansible-core to that version once published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all ansible-core installations in your environment and create an inventory of installed roles and their sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Module for Systems Management 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected

Share

CVE-2026-11332 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy