Fluid Attacks Database

Description

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ansible	=10.0.0+dfsg-1 \|\| =10.0.1+dfsg-1 \|\| =10.1.0+dfsg-1 \|\| =10.5.0+dfsg-1 \|\| =10.5.0+dfsg-2 \|\| =10.6.0+dfsg-1 \|\| =11.1.0+dfsg-1 \|\| =11.2.0+dfsg-1 \|\| =12.0.0+dfsg-1 \|\| =12.0.0~a1+dfsg-1 \|\| =12.0.0~a2+dfsg-1 \|\| =12.0.0~a4+dfsg-1 \|\| =12.0.0~a6+dfsg-1 \|\| =12.0.0~b1+dfsg-1 \|\| =12.0.0~b2+dfsg-1 \|\| =12.0.0~b3+dfsg-1 \|\| =12.0.0~b5+dfsg-1 \|\| =12.2.0+dfsg-1 \|\| =13.1.0+dfsg-1 \|\| =13.4.0+dfsg-1 \|\| =14.0.0~a4+dfsg-1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u3 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u4 \|\| =2.10.7+merged+base+2.10.8+dfsg-1 \|\| =4.6.0-1 \|\| =5.4.0-1 \|\| =5.5.0-1 \|\| =6.3.0+dfsg-1 \|\| =6.4.0+dfsg-1 \|\| =7.0.0+dfsg-1 \|\| =7.0.0+dfsg-2 \|\| =7.1.0+dfsg-1 \|\| =7.2.0+dfsg-2 \|\| =7.3.0+dfsg-1 \|\| =7.7.0+dfsg-1 \|\| =7.7.0+dfsg-2 \|\| =7.7.0+dfsg-3 \|\| =9.4.0+dfsg-1 \|\| =9.5.1+dfsg-1	-
debian 12	ansible	>=0 <5.4.0-1	5.4.0-1
debian 13	ansible	>=0 <5.4.0-1	5.4.0-1
debian 14	ansible	>=0 <5.4.0-1	5.4.0-1
debian 12	ansible-core	=2.14.10-1 \|\| =2.14.11-1 \|\| =2.14.11-2 \|\| =2.14.13-1 \|\| =2.14.16-0+deb12u1 \|\| =2.14.18-0+deb12u1 \|\| =2.14.18-0+deb12u2 \|\| =2.14.3-1 \|\| =2.14.6-1 \|\| =2.14.7-1 \|\| =2.14.8-1 \|\| =2.14.9-1 \|\| =2.14.9-2 \|\| =2.16.5-1 \|\| =2.16.6-1 \|\| =2.17.0-1 \|\| =2.17.1-1 \|\| =2.17.2-1 \|\| =2.17.3-1 \|\| =2.17.5-1 \|\| =2.17.5-2 \|\| =2.17.5-3 \|\| =2.17.5-4 \|\| =2.17.5-5 \|\| =2.18.0-1 \|\| =2.18.0-2 \|\| =2.18.1-1 \|\| =2.18.1-2 \|\| =2.18.1-3 \|\| =2.18.1-4 \|\| =2.18.3-1 \|\| =2.19.0-1 \|\| =2.19.0~beta1-1 \|\| =2.19.0~beta1-2 \|\| =2.19.0~beta2-1 \|\| =2.19.0~beta4-1 \|\| =2.19.0~beta5-1 \|\| =2.19.0~beta6-1 \|\| =2.19.0~rc2-1 \|\| =2.19.1-1 \|\| =2.19.2-1 \|\| =2.19.3-1 \|\| =2.19.3-2 \|\| =2.19.4-1 \|\| =2.19~pre20250506~462affa7c4-1 \|\| =2.19~pre20250510~5347d4d4fc-1 \|\| =2.20.1-1 \|\| =2.20.3-1 \|\| =2.21.0-1	-
debian 13	ansible-core	=2.19.0-1 \|\| =2.19.0~beta6-1 \|\| =2.19.0~rc2-1 \|\| =2.19.1-0+deb13u1 \|\| =2.19.1-1 \|\| =2.19.2-1 \|\| =2.19.3-1 \|\| =2.19.3-2 \|\| =2.19.4-0+deb13u1 \|\| =2.19.4-1 \|\| =2.20.1-1 \|\| =2.20.3-1 \|\| =2.21.0-1	-
debian 14	ansible-core	=2.19.0-1 \|\| =2.19.0~beta6-1 \|\| =2.19.0~rc2-1 \|\| =2.19.1-1 \|\| =2.19.2-1 \|\| =2.19.3-1 \|\| =2.19.3-2 \|\| =2.19.4-1 \|\| =2.20.1-1 \|\| =2.20.3-1 \|\| =2.21.0-1	-

Aliases

1. CVE-2026-113322. NVD-2026-113323. OSV-DEBIAN-2026-113324. OSV-2026-113325. SECURITY-TRACKER-CVE-2026-11332

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.