Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown

Summary

CVE	CVE-2026-11837
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-10 05:16:38 UTC
Updated	2026-06-30 03:17:09 UTC
Description	A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

Risk And Classification

Primary CVSS: v3.1 7.3 HIGH from ADP

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS: 0.001270000 probability, percentile 0.026410000 (date 2026-06-16)

Problem Types: CWE-59 | CWE-59 Improper Link Resolution Before File Access ('Link Following')

Version	Source	Type	Score	Severity	Vector
3.1	ADP	CVSS	7.3	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`
3.1	[email protected]	Secondary	7.3	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`
3.1	0b0ca135-0b70-47e7-9f44-1890c2a1c46c	Secondary	7.3	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`
3.1	CNA	CVSS	7.3	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Red Hat	Red Hat Enterprise Linux 10	Not specified	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 8	Not specified	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 8	Not specified	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 9	Not specified	Not specified
CNA	Red Hat	Red Hat OpenStack Platform 17.1	Not specified	Not specified
CNA	Red Hat	Red Hat OpenStack Platform 18.0	Not specified	Not specified
ADP	Red Hat	Red Hat Enterprise Linux 8	Not specified	Not specified
ADP	Red Hat	Red Hat OpenStack Platform 17.1	Not specified	Not specified
ADP	Red Hat	Red Hat OpenStack Platform 18.0	Not specified	Not specified
ADP	Red Hat	Red Hat Enterprise Linux 10	Not specified	Not specified
ADP	Red Hat	Red Hat Enterprise Linux 9	Not specified	Not specified

References

Reference	Source	Link	Tags
bugzilla.redhat.com/show_bug.cgi	0b0ca135-0b70-47e7-9f44-1890c2a1c46c	bugzilla.redhat.com
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11837.json	0b0ca135-0b70-47e7-9f44-1890c2a1c46c	security.access.redhat.com
access.redhat.com/security/cve/CVE-2026-11837	0b0ca135-0b70-47e7-9f44-1890c2a1c46c	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Red Hat would like to thank Valentino Paulon for reporting this issue. (en)

Additional Advisory Data

Source	Time	Event
CNA	2026-06-07T00:00:00.000Z	Reported to Red Hat.
CNA	2026-06-10T00:00:00.000Z	Made public.
ADP	2026-06-07T00:00:00.000Z	Reported to Red Hat.
ADP	2026-06-10T00:00:00.000Z	Made public.

Workarounds

CNA: The following practices would help for avoiding exposure and mitigate this flaw: 1) Do not run the ansible.posix authorized_key module with elevated privileges against untrusted user accounts. 2) Validate that target user home directories do not contain unexpected symbolic links before running playbooks.

ADP: The following practices would help for avoiding exposure and mitigate this flaw: 1) Do not run the ansible.posix authorized_key module with elevated privileges against untrusted user accounts. 2) Validate that target user home directories do not contain unexpected symbolic links before running playbooks.

There are currently no legacy QID mappings associated with this CVE.