Galaxy_ng: shell injection in legacy role import via unsanitized git ref names
Summary
| CVE | CVE-2026-12398 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-16 15:16:36 UTC |
| Updated | 2026-06-29 18:16:36 UTC |
| Description | A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.008890000 probability, percentile 0.548190000 (date 2026-06-30)
Problem Types: CWE-78 | CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-12398 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: This issue was discovered by Chris Meyers (Red Hat). (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-16T13:13:58.336Z | Reported to Red Hat. |
| CNA | 2026-06-16T00:00:00.000Z | Made public. |
Workarounds
CNA: The following practices would help for avoiding exposure and mitigate this flaw: 1. Ensure that GALAXY_ENABLE_LEGACY_ROLES is set to False (the default) in your Galaxy/Hub configuration. This prevents the v1 API routes from being registered, making the vulnerable endpoint entirely unreachable. 2. If legacy role support must be enabled, restrict access to the Galaxy/Hub API to trusted users only. The vulnerability requires authentication, so limiting who can authenticate reduces exposure. 3. Monitor import activity for suspicious git references containing shell metacharacters in branch or tag names.