CVE Catalog

CVE-2026-12398

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.89%

55th percentile — higher than 55% of all known CVEs

Summary

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names into shell commands executed via subprocess.run() with shell=True. An authenticated user controlling a git repository can create a branch or tag with shell metacharacters to achieve remote code execution on the pulp worker.

Risk Assessment

The risk for the organization is remote code execution by an authenticated user on the pulp worker, potentially leading to system compromise, data theft, or lateral movement. The vulnerability is limited to configurations with GALAXY_ENABLE_LEGACY_ROLES enabled, which is not the default.

Recommendation

Immediately disable GALAXY_ENABLE_LEGACY_ROLES if not required, and apply security patches from the vendor. Also audit git repositories for suspicious branch or tag names.

Original NVD description (English source)

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS