CVE-2026-12398
HighCVSS 7.5Exploitation Probability (EPSS)
Elevated risk55th percentile — higher than 55% of all known CVEs
Summary
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names into shell commands executed via subprocess.run() with shell=True. An authenticated user controlling a git repository can create a branch or tag with shell metacharacters to achieve remote code execution on the pulp worker.
Risk Assessment
The risk for the organization is remote code execution by an authenticated user on the pulp worker, potentially leading to system compromise, data theft, or lateral movement. The vulnerability is limited to configurations with GALAXY_ENABLE_LEGACY_ROLES enabled, which is not the default.
Recommendation
Immediately disable GALAXY_ENABLE_LEGACY_ROLES if not required, and apply security patches from the vendor. Also audit git repositories for suspicious branch or tag names.
Original NVD description (English source)
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

