Skip to content

Update dependency ansible-core to v2.19.11 [SECURITY]#2476

Merged
berendt merged 1 commit into
mainfrom
renovate/pypi-ansible-core-vulnerability
Jul 17, 2026
Merged

Update dependency ansible-core to v2.19.11 [SECURITY]#2476
berendt merged 1 commit into
mainfrom
renovate/pypi-ansible-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
ansible-core ==2.19.3==2.19.11 age confidence

ansible-core: Argument injection in ansible-galaxy role install leads to arbitrary code execution

CVE-2026-11332 / GHSA-w8p5-mx5w-cpqj

More information

Details

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Severity

  • CVSS Score: 7.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Signed-off-by: Renovate Bot <bot@renovateapp.com>
@renovate renovate Bot added the renovate label Jul 17, 2026
@github-project-automation github-project-automation Bot moved this to Backlog in Bot Board Jul 17, 2026
@berendt
berendt merged commit 68daeb0 into main Jul 17, 2026
4 checks passed
@berendt
berendt deleted the renovate/pypi-ansible-core-vulnerability branch July 17, 2026 10:31
@github-project-automation github-project-automation Bot moved this from Backlog to Done in Bot Board Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants