Command Injection in galaxy_ng Legacy Role Import API
CVE-2026-12398 Published on June 16, 2026
Galaxy_ng: shell injection in legacy role import via unsanitized git ref names
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
Vulnerability Analysis
CVE-2026-12398 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-12398 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-12398
Want to know whenever a new CVE is published for Red Hat Ansible Automation Platform? stack.watch will email you.
