Skip to content

chore(deps): update dependency ansible-core [security]#2594

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-ansible-core-vulnerability
Open

chore(deps): update dependency ansible-core [security]#2594
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-ansible-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
ansible-core 2.18.92.18.18 age confidence
ansible-core 2.16.142.16.19 age confidence

ansible-core: Argument injection in ansible-galaxy role install leads to arbitrary code execution

CVE-2026-11332 / GHSA-w8p5-mx5w-cpqj

More information

Details

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Signed-off-by: Renovate Bot <bot@renovateapp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: Backlog

Development

Successfully merging this pull request may close these issues.

1 participant