CVE-2026-11332 - Vulnerability Details

- Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution

Description

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Published: 2026-06-05

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in ansible-core allows a malicious role author to inject arbitrary git configuration flags through the src field of a dependency specification in meta/requirements.yml. The improper neutralization of argument delimiters enables the attacker to execute commands on the machine that runs ansible-galaxy role install. This injection exposes the system to arbitrary code execution and is classified as a CWE‑88 vulnerability.

Affected Systems

The vulnerability impacts Red Hat Ansible Automation Platform 2, specifically the ansible-core component. No detailed version information is provided, so any installation that relies on the vulnerable ansible‑core logic remains a risk until an official fix is released.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score is not available, making it unclear how frequently the flaw is exploited. The issue is not listed in the CISA KEV catalog. The attack requires a role author with malicious intent to supply a crafted meta/requirements.yml; a user who installs that role using ansible‑galaxy role install will trigger the code execution. The vulnerability’s exploitation is limited to the environment where the role is installed, but it can compromise any user or system that runs the install command. Red Hat has indicated that no workaround meeting its product security criteria is available.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Ansible Automation Platform 2	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

Avoid installing roles from untrusted or unknown authors; only use verified sources.
Manually review and sanitize the meta/requirements.yml file for suspicious src entries before execution.
Stay updated with Red Hat security advisories and upgrade ansible-core promptly when a patch is released.
No temporary workaround is provided by Red Hat; pending an official patch.

Generated by OpenCVE AI on June 5, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-11332
https://bugzilla.redhat.com/show_bug.cgi?id=2485379
https://github.com/ansible/ansible
https://nvd.nist.gov/vuln/detail/CVE-2026-11332
https://www.cve.org/CVERecord?id=CVE-2026-11332

History

Fri, 05 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-11332 https://www.cve.org/CVERecord?id=CVE-2026-11332
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 05 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Title		Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
First Time appeared		Redhat Redhat ansible Automation Platform
Weaknesses		CWE-88
CPEs		cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products		Redhat Redhat ansible Automation Platform
References		https://access.redhat.com/security/cve/CVE-2026-11332 https://bugzilla.redhat.com/show_bug.cgi?id=2485379 https://github.com/ansible/ansible
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Redhat Ansible Automation Platform

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-05T08:21:43.027Z

Updated: 2026-06-05T08:21:43.027Z

Reserved: 2026-06-05T07:58:25.632Z

Link: CVE-2026-11332

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-05T09:16:26.070

Modified: 2026-06-05T09:16:26.070

Link: CVE-2026-11332

Redhat

Severity : Important

Publid Date: 2026-06-05T07:12:55Z

Links: CVE-2026-11332 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-05T11:00:14Z

Weaknesses

CWE-88

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object