An argument injection vulnerability in ansible-core’s ansible-galaxy role install command, tracked as CVE-2026-11332 (CVSS 7.8), allows a malicious Ansible role to execute arbitrary code on the system running the installation. The vulnerability exists because dependency specifications in a role’s meta/requirements.yml file do not properly neutralise argument delimiters in the src field, enabling injection of arbitrary git configuration flags.
What Is the Vulnerability?
CVE-2026-11332 is an argument injection vulnerability (CWE-88) in how ansible-core processes role dependencies. When ansible-galaxy role install processes a role with a meta/requirements.yml file specifying dependencies, it constructs git commands using the src field from the requirements file. Due to improper neutralisation of argument delimiters, a malicious role author can inject arbitrary git configuration flags — such as --config or -c — through the src field, pointing git at an attacker-controlled configuration file that enables command execution during the clone operation.
Ansible is the dominant IT automation platform, used across enterprises for server provisioning, configuration management, application deployment, and orchestration. The Ansible control node — the machine running ansible-core — holds SSH keys, credentials, and inventory information for the entire managed infrastructure. Code execution on the control node is effectively code execution across the entire managed estate.
The attack can be delivered through: (1) a malicious role published to Ansible Galaxy, (2) a compromised internal role repository, (3) a supply chain attack where a previously trusted role is updated with a malicious requirements.yml, or (4) a social engineering attack convincing an operator to install a role from an untrusted source.
- CVSS v3.1 Score: 7.8 (High)
- CWE: CWE-88 (Improper Neutralization of Argument Delimiters in a Command)
- Attack Vector: Local — requires installation of a malicious role
Which Versions Are Affected?
- ansible-core — all versions prior to the patched release
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed. However, the vulnerability was published on June 5, 2026 with full technical details. The Ansible Galaxy ecosystem contains thousands of community roles — any of which could be a vector if compromised or if a malicious role is published.
What Is the Fix?
Update ansible-core to the patched version via pip or your distribution’s package manager. The fix properly neutralises argument delimiters in the src field of requirements.yml files.
Recommendations
Update ansible-core immediately. Ansible control nodes are tier-0 assets — they hold the keys to the entire infrastructure kingdom.
Audit installed Ansible roles. Review all installed roles and their meta/requirements.yml files for unexpected git configuration flags in src fields. Look for --config, -c, or other flags embedded in source URLs.
Only install roles from trusted sources. Prefer internally maintained and audited role repositories over public Ansible Galaxy roles in production environments. Implement a review process for new role additions.
Run role installation in isolated environments. Use containers or dedicated build systems for role installation and testing — this limits the blast radius if a malicious role is inadvertently installed.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 6, 2026.
