{"api_version":"1","generated_at":"2026-07-13T07:40:35+00:00","cve":"CVE-2026-12398","urls":{"html":"https://cve.report/CVE-2026-12398","api":"https://cve.report/api/cve/CVE-2026-12398.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-12398","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-12398"},"summary":{"title":"Galaxy_ng: shell injection in legacy role import via unsanitized git ref names","description":"A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-06-16 15:16:36","updated_at":"2026-06-29 18:16:36"},"problem_types":["CWE-78","CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-12398","name":"https://access.redhat.com/security/cve/CVE-2026-12398","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489180","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2489180","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-12398","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12398","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-06-16T13:13:58.336Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-06-16T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"The following practices would help for avoiding exposure and mitigate this flaw:\n\n1. Ensure that GALAXY_ENABLE_LEGACY_ROLES is set to False (the default) in your Galaxy/Hub configuration. This prevents the v1 API routes from being registered, making the vulnerable endpoint entirely unreachable.\n\n2. If legacy role support must be enabled, restrict access to the Galaxy/Hub API to trusted users only. The vulnerability requires authentication, so limiting who can authenticate reduces exposure.\n\n3. Monitor import activity for suspicious git references containing shell metacharacters in branch or tag names.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"This issue was discovered by Chris Meyers (Red Hat).","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"12398","cve":"CVE-2026-12398","epss":"0.008890000","percentile":"0.548190000","score_date":"2026-06-30","updated_at":"2026-07-01 00:05:17"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-12398","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-16T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-17T03:55:53.274Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","packageName":"ansible-automation-platform-24/hub-rhel8","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-25/hub-rhel8","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-26/hub-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform-27/hub-rhel9","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","packageName":"automation-hub","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unknown","packageName":"python3.11-galaxy-ng","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unknown","packageName":"python3.12-galaxy-ng","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unknown","packageName":"python3x-galaxy-ng","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unknown","packageName":"python-galaxy-ng","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"This issue was discovered by Chris Meyers (Red Hat)."}],"datePublic":"2026-06-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-29T17:37:37.751Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-12398"},{"name":"RHBZ#2489180","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489180"}],"timeline":[{"lang":"en","time":"2026-06-16T13:13:58.336Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-16T00:00:00.000Z","value":"Made public."}],"title":"Galaxy_ng: shell injection in legacy role import via unsanitized git ref names","workarounds":[{"lang":"en","value":"The following practices would help for avoiding exposure and mitigate this flaw:\n\n1. Ensure that GALAXY_ENABLE_LEGACY_ROLES is set to False (the default) in your Galaxy/Hub configuration. This prevents the v1 API routes from being registered, making the vulnerable endpoint entirely unreachable.\n\n2. If legacy role support must be enabled, restrict access to the Galaxy/Hub API to trusted users only. The vulnerability requires authentication, so limiting who can authenticate reduces exposure.\n\n3. Monitor import activity for suspicious git references containing shell metacharacters in branch or tag names."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-12398","datePublished":"2026-06-16T14:52:06.734Z","dateReserved":"2026-06-16T13:22:54.012Z","dateUpdated":"2026-06-29T17:37:37.751Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-16 15:16:36","lastModifiedDate":"2026-06-29 18:16:36","problem_types":["CWE-78","CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-16T00:00:00+00:00","id":"CVE-2026-12398","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"12398","Ordinal":"1","Title":"Galaxy_ng: shell injection in legacy role import via unsanitized","CVE":"CVE-2026-12398","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"12398","Ordinal":"1","NoteData":"A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.","Type":"Description","Title":"Galaxy_ng: shell injection in legacy role import via unsanitized"}]}}}