Description
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
Published: 2026-06-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the ansible.posix authorized_key module allows an unprivileged local user to create symbolic links in their ~/.ssh directory. When an operator runs the authorized_key task as root, the module’s keyfile() function performs an os.chown() on the targeted file without preventing symlink resolution, which can redirect the ownership change to an arbitrary system path. This results in the attacker gaining ownership of files they should not have access to, effectively elevating privileges on the local system. The weakness is a classic symlink‑follow security flaw (CWE‑59).

Affected Systems

Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenStack Platform 17.1, and Red Hat OpenStack Platform 18.0

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. EPSS information is not available and the vulnerability is not listed in CISA's KEV catalog. The attack vector is local; the attacker must have a user account on the host and must be able to pre‑stage the symlink in their own ~/.ssh directory before an operator executes the authorized_key task with elevated privileges. Once the symlink exists, the privileged run will change ownership of the target file, thus enabling local privilege escalation. The risk remains significant until a fix is applied, as the path to exploitation is straightforward and requires no specialized expertise beyond normal local access.

Generated by OpenCVE AI on June 10, 2026 at 06:50 UTC.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: 1) Do not run the ansible.posix authorized_key module with elevated privileges against untrusted user accounts. 2) Validate that target user home directories do not contain unexpected symbolic links before running playbooks.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade ansible.posix to a version where keyfile() uses os.lchown() or includes O_NOFOLLOW protection.
  • Avoid running the ansible.posix authorized_key module with root privileges when targeting accounts that could be misused by local users.
  • Before running playbooks, inspect target user home directories for unexpected symbolic links and remove or correct them.

Generated by OpenCVE AI on June 10, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openstack Platform
Vendors & Products Redhat openstack Platform

Wed, 10 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
Title Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown
First Time appeared Redhat
Redhat enterprise Linux
Redhat openstack
Weaknesses CWE-59
CPEs cpe:/a:redhat:openstack:17.1
cpe:/a:redhat:openstack:18.0
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openstack
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Openstack Openstack Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T12:06:54.166Z

Reserved: 2026-06-10T04:10:05.146Z

Link: CVE-2026-11837

cve-icon Vulnrichment

Updated: 2026-06-30T02:43:13.554Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T05:16:38.510

Modified: 2026-06-10T19:24:04.320

Link: CVE-2026-11837

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T00:00:00Z

Links: CVE-2026-11837 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:19Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')