ansible-core Role Install Git Flag Injection (CVE-2026-11332)
CVE-2026-11332 Published on June 5, 2026
Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
Vulnerability Analysis
CVE-2026-11332 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 52 days later.
Weakness Type
What is an Argument Injection Vulnerability?
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CVE-2026-11332 has been classified to as an Argument Injection vulnerability or weakness.
Products Associated with CVE-2026-11332
Want to know whenever a new CVE is published for Red Hat Ansible Automation Platform? stack.watch will email you.
Affected Versions
Red Hat Ansible Automation Platform 2:Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.