Skip to main content

ansible.posix CVE-2026-11837

| EUVDEUVD-2026-35982 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-10 secalert@redhat.com GHSA-49qh-h4vj-mrgf
7.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 05:30 vuln.today

DescriptionCVE.org

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

AnalysisAI

Local privilege escalation in the ansible.posix collection's authorized_key module allows an unprivileged local user to redirect root-owned file ownership changes to arbitrary system paths via symlink attacks in ~/.ssh. The module's keyfile() function calls os.chown() instead of os.lchown() and omits O_NOFOLLOW when opening files, so a pre-staged symlink is followed during privileged execution. No public exploit identified at time of analysis, but the technique is a well-understood TOCTOU/symlink class with a moderate-to-high CVSS (7.3).

Technical ContextAI

ansible.posix is a Red Hat-maintained Ansible collection providing POSIX-oriented modules, including authorized_key for managing SSH ~/.ssh/authorized_keys files on managed hosts. The flaw is rooted in CWE-59 (Improper Link Resolution Before File Access / 'Link Following'): when the keyfile() helper ensures the target user's authorized_keys file exists with correct ownership and permissions, it uses os.chown() (which follows symlinks) rather than os.lchown() (which operates on the link itself), and opens the file without the O_NOFOLLOW flag. Combined, these two issues mean any symlink the target user controls inside ~/.ssh is silently dereferenced by the module running as root, causing chown/open operations to apply to whatever path the symlink points to.

Affected ProductsAI

The affected component is the ansible.posix Ansible collection, specifically the authorized_key module's keyfile() implementation. Exact fixed versions are not enumerated in the provided intelligence; the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11837 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2487424 should be consulted for the authoritative version matrix. No CPE strings were provided in the input. All deployments that execute authorized_key as root against accounts whose ~/.ssh is writable by an untrusted local user are in scope, regardless of the Ansible controller version.

RemediationAI

Upgrade the ansible.posix collection to the fixed release identified in the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-11837 (cross-reference https://bugzilla.redhat.com/show_bug.cgi?id=2487424 for the precise patched version, which is not independently confirmed in the data provided here). Until the patched collection is deployed, mitigations include: avoiding running the authorized_key module as root against accounts whose home directories are writable by the target user (use become_user to the target account so symlinks fall under the user's own UID, at the cost of needing the target user to exist with a usable shell); pre-creating and locking ~/.ssh and ~/.ssh/authorized_keys with correct ownership and immutable attributes (chattr +i) so symlink substitution fails (trade-off: future legitimate edits must temporarily clear the immutable bit); or restricting which operators can run playbooks containing authorized_key on multi-tenant hosts. Generic 'apply defense in depth' guidance is not sufficient here - the chown-follows-symlink primitive bypasses normal permission checks.

Vendor StatusVendor

Share

CVE-2026-11837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy