Description
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the legacy role import API of Red Hat Ansible Automation Platform 2. The function responsible for checking out code from a git repository inserts unsanitized git reference names—such as branch or tag identifiers—directly into a shell command invoked with shell=True. An authenticated user who controls the repository can create a reference containing shell metacharacters. When the Galaxy/Hub service is configured to allow legacy role operations (GALAXY_ENABLE_LEGACY_ROLES set to True), the attacker can trigger the vulnerable endpoint and execute arbitrary commands on the Pulp worker, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects Red Hat Ansible Automation Platform 2, specifically the Galaxy/Hub component that implements legacy role import functionality. The affected installation is identified by the CPE cpe:/a:redhat:ansible_automation_platform:2 and includes all releases of version 2 of the platform.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score of less than 1% suggests a low probability of exploitation in the wild as of the latest assessment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have authenticated access and to control a git repository whose ref names can be set. The mitigatable configuration parameter GALAXY_ENABLE_LEGACY_ROLES is not enabled by default, so exposure is limited to customers who intentionally enable legacy role support. Nonetheless, the potential impact of remote code execution warrants prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 18:36 UTC.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: 1. Ensure that GALAXY_ENABLE_LEGACY_ROLES is set to False (the default) in your Galaxy/Hub configuration. This prevents the v1 API routes from being registered, making the vulnerable endpoint entirely unreachable. 2. If legacy role support must be enabled, restrict access to the Galaxy/Hub API to trusted users only. The vulnerability requires authentication, so limiting who can authenticate reduces exposure. 3. Monitor import activity for suspicious git references containing shell metacharacters in branch or tag names.


OpenCVE Recommended Actions

  • Set GALAXY_ENABLE_LEGACY_ROLES to False in the Galaxy/Hub configuration to prevent the vulnerable API route from being registered.
  • If legacy role support must remain enabled, restrict API access to trusted users only, for example by applying role‑based access control or network filtering to limit authentication options.
  • Monitor import activity for suspicious git references containing shell metacharacters in branch or tag names and audit related logs regularly.

Generated by OpenCVE AI on June 17, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6hw7-j4jw-wpff Galaxy NG: command injection vulnerability
History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
Title Galaxy_ng: shell injection in legacy role import via unsanitized git ref names
First Time appeared Redhat
Redhat ansible Automation Platform
Weaknesses CWE-78
CPEs cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products Redhat
Redhat ansible Automation Platform
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Ansible Automation Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-29T17:37:37.751Z

Reserved: 2026-06-16T13:22:54.012Z

Link: CVE-2026-12398

cve-icon Vulnrichment

Updated: 2026-06-16T16:06:32.657Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T15:16:36.103

Modified: 2026-06-16T15:26:04.250

Link: CVE-2026-12398

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T00:00:00Z

Links: CVE-2026-12398 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:12Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')