CVE-2026-11837

Vulnerability

A local privilege escalation vulnerability exists in the ansible.posix authorized_key module. The keyfile() function incorrectly uses os.chown() instead of os.lchown() and opens files without the O_NOFOLLOW flag when managing SSH authorized keys. This affects versions of the ansible.posix collection where this behavior is present.

Exploitation

An unprivileged local user can exploit this vulnerability by creating symbolic links within their ~/.ssh directory. When an operator executes an authorized_key task as root, the module will follow these symbolic links. This allows the user to manipulate ownership of arbitrary system files or directories by tricking the chown operation into targeting them instead of the intended authorized_keys file.

Impact

Successful exploitation allows an unprivileged local user to escalate their privileges to root. By controlling the ownership of critical system files or directories, an attacker can potentially gain complete control over the affected system.

Mitigation

This vulnerability is addressed in a fixed version of the ansible.posix collection. Users should update to the patched version as soon as possible. No specific version or release date for the fix is provided in the available references, but the issue is noted as fixed in reference [2].