VYPR
← All advisories
High severity7.8NVD Advisory· Published Jun 5, 2026

CVE-2026-11332

CVE-2026-11332

Description

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"improper neutralization of argument delimiters in git clone command arguments"

Attack vector

A malicious role author can craft a dependency entry in a meta/requirements.yml file. The `src` field can be manipulated to include arbitrary git configuration flags, such as `-ccore.sshCommand=sh -c "malicious_command"`. When a user installs this malicious role using `ansible-galaxy role install`, these crafted arguments are passed to `git clone` without proper separation from positional arguments. This allows for arbitrary code execution on the user's system [ref_id=1].

Affected code

The vulnerability exists in ansible-core's `ansible-galaxy` command, specifically when processing the `meta/requirements.yml` file during role installation. The `src` and `name` fields are passed to `git clone` via Python's `Popen` without a `--` separator to delimit options from positional arguments [ref_id=1].

What the fix does

The fix involves inserting a `--` separator before the positional arguments in the `git clone` command list within the `ansible-galaxy` script. This ensures that any configuration flags injected into the `src` field are treated as arguments to `git clone` and not as options, thus preventing arbitrary code execution [ref_id=1].

Preconditions

  • inputThe user must install a malicious Ansible role that contains crafted dependency specifications in its `meta/requirements.yml` file.
  • authThe user installing the role does not need special privileges, only the ability to run `ansible-galaxy role install`.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.