CVE-2026-11332
Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
Description
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
In plain language
AI Worth attentionIf you install Ansible roles from untrusted sources, a malicious role can trigger arbitrary code execution during `ansible-galaxy role install`, so you should avoid untrusted roles and watch for a fix, since no patch is currently known.
In Red Hat Ansible Automation Platform 2 (ansible-core), improper handling of argument delimiters in `ansible-galaxy role install` allows a malicious role’s `meta/requirements.yml` to inject crafted git flags, resulting in arbitrary code execution on the installer’s machine.
What to do now
- Confirm whether your team ever runs
ansible-galaxy role installto fetch roles from third parties or shared/unknown role repositories. - Inventory the roles currently installed via
ansible-galaxy role installand identify any roles whose source you cannot fully verify (author, repository, and version). - Stop installing roles from untrusted sources; only install roles you trust and can verify (e.g., internal repos with review, approved authors).
- If you must install new roles, do it only from approved sources and pin to specific, known-good versions.
- Check with Red Hat for a fix related to CVE-2026-11332 for Red Hat Ansible Automation Platform 2, and apply the vendor update as soon as it’s released.
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-11332 and every CVE in our database. Create a free account — no credit card required.
Create Free Account