Home

Description

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-10 | Updated 2026-06-10 | Assigner redhat




HIGH: 7.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Link Resolution Before File Access ('Link Following')

Product status

Default status
affected

Default status
affected

Default status
unknown

Default status
unknown

Default status
affected

Default status
affected

Timeline

2026-06-07:Reported to Red Hat.
2026-06-10:Made public.

Credits

Red Hat would like to thank Valentino Paulon for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-11837 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2487424 (RHBZ#2487424) issue-tracking

cve.org (CVE-2026-11837)

nvd.nist.gov (CVE-2026-11837)

Download JSON