CVE Catalog

CVE-2026-11332

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile - higher than 5% of all known CVEs

Summary

A flaw was found in ansible-core where the ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field, leading to arbitrary code execution on the machine of a user who installs the role.

Risk Assessment

The organization risks full system compromise when installing Ansible roles, potentially leading to data theft, malware installation, or further attacks on the infrastructure.

Recommendation

Immediately update ansible-core to the latest patched version and avoid installing roles from untrusted sources until the update is applied.

Original NVD description (English source)

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS