Intel

AIKIDO-2026-215161

ansible-core is vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')CVE-2026-11332 Published 2 days ago

78

High Risk

This Affects:

PYTHONansible-core
0.0.1 - 2.21.0
Fixed in 2.21.1
Are you affected? Scan for Free

TL;DR

Affected versions of ansible-core are vulnerable to command injection in the ansible-galaxy role install command due to improper neutralization of argument delimiters in role dependency specifications. A malicious role can inject arbitrary Git configuration options through the src field in meta/requirements.yml, potentially leading to arbitrary code execution on systems that install the role.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

ansible-core is vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in versions 0.0.1 - 2.21.0.

How to fix this

Upgrade the ansible-core library to the patch version.