LiveActive security incident?Get immediate response
CVE Record

CVE-2026-11332: Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Installing an untrusted Ansible role can silently run attacker code on the machine doing the install. The role's metadata can smuggle extra options into git, turning a routine "download this role" step into arbitrary command execution. Anyone who runs ansible-galaxy role install against a malicious or tampered role is at risk, including automation build hosts and engineer laptops.

Executive priority

Treat as a high-priority patch cycle for teams that use Ansible Automation Platform or ansible-galaxy in build pipelines. Not an internet-facing zero-day, but a realistic supply-chain path into automation infrastructure, which typically holds broad credentials. Schedule remediation in the next standard maintenance window and restrict external role installs in the interim.

Technical view

A CWE-88 argument injection flaw exists in ansible-core's ansible-galaxy role install. Dependency entries from a role's meta/requirements.yml are passed to git without properly neutralizing argument delimiters in the src field, letting a hostile role author inject arbitrary git configuration flags. Those flags can trigger code execution during clone, yielding local code execution under the installing user's identity. CVSS 3.1 is 7.8 (AV:L/AC:L/PR:N/UI:R).

Likely exposure

Any host that runs ansible-galaxy role install against community or third-party roles: developer workstations, CI/CD build agents, controller nodes, and Ansible Automation Platform components (execution environments, hub, controller, EDA, lightspeed, gateway) flagged as affected by Red Hat. Migration Toolkit, ACM, and OpenShift Service Mesh operator images are also under investigation per the Red Hat advisory.

Exploitation context

Not listed in CISA KEV and no public exploitation is cited in the bundle. Attack requires the victim to install a role controlled or influenced by the attacker (UI:R), so exposure hinges on trust in role sources and dependency pipelines. Because supply-chain-style abuse of Galaxy content is plausible, treat any automation host that pulls external roles as at risk until patched.

Researcher notes

CWE-88 argument injection through the src field of meta/requirements.yml means the git command line built by ansible-galaxy accepts attacker-supplied flags. Focus review on how role dependency specs are tokenized and passed to subprocess/git invocations. Red Hat lists many AAP 2.6 components as "affected" and several MTA/MTV/ACM/Service Mesh operator bundles as "unknown," so the CSAF VEX is the authoritative per-product status. KEV flag is false as of 2026-07-10.

Mitigation direction

  • Apply Red Hat ansible-core updates once released for AAP 2.4/2.5/2.6 and affected operator images.
  • Restrict ansible-galaxy role install to vetted, internally mirrored role sources only.
  • Block or proxy outbound Galaxy pulls from CI runners and controller nodes until patched.
  • Run role installs as low-privilege users in isolated execution environments, not as root.
  • Review meta/requirements.yml files in existing roles for suspicious src values containing option-like syntax.
  • Track the Red Hat CSAF/VEX feed for per-product fixed versions and errata.

Validation and detection

  • Inventory hosts running ansible-core and identify those that execute ansible-galaxy role install.
  • Cross-reference installed AAP components against Red Hat's affected package list in the advisory.
  • Check package versions of ansible-core on controllers, execution environments, and developer images.
  • Audit CI/CD jobs and playbooks for calls to ansible-galaxy role install with external sources.
  • Consult Red Hat's CSAF VEX document for definitive fixed-version and 'not affected' status per product.
  • Confirm remediation by verifying upgraded ansible-core versions after Red Hat publishes errata.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-88: Command execution behavior lookup

Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-11332 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
7Timeline events
2ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H1.85.9redhat
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H1.85.9redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2026-11332Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. ADP timelineredhat-SADP

    Reported to Red Hat.

  2. Source timelineredhat

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. Source timelineredhat

    Made public.

  5. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  6. CVE publishedCVE Program

    The CVE record was published.

  7. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
other:Red Hat severity ratingcvssV3_1
  • 2026-04-14T00:00:00.000Z: Reported to Red Hat.
  • 2026-06-05T07:12:55.739Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Red HatMigration Toolkit for Applications 8mta/mta-rhel9-operatorunknown
Red HatMigration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-rhel9-operatorunknown
Red HatMigration Toolkit for Virtualizationmtv-candidate/mtv-rhel9-operatorunknown
Red HatOpenShift Service Mesh 3openshift-service-mesh/kiali-rhel9-operatorunknown
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/volsync-operator-bundleunknown
Red HatRed Hat Advanced Cluster Management for Kubernetes 2rhacm2/volsync-rhel9unknown
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-24/lightspeed-rhel8affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-25/lightspeed-rhel8affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/controller-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/de-minimal-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/de-supported-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/eda-controller-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/eda-controller-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/ee-minimal-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/ee-supported-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/gateway-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/hub-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/hub-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/lightspeed-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/lightspeed-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/platform-resource-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-26/platform-resource-runner-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/aap-cloud-billing-operator-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/controller-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/de-minimal-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/de-supported-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/eda-controller-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/eda-controller-rhel9-operatoraffected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/ee-minimal-rhel9affected
Red HatRed Hat Ansible Automation Platform 2ansible-automation-platform-27/ee-supported-rhel9affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-88 · source CWE mapping

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.