Home

Description

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

PUBLISHED Reserved 2026-06-16 | Published 2026-06-16 | Updated 2026-06-17 | Assigner redhat




HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-06-16:Reported to Red Hat.
2026-06-16:Made public.

Credits

This issue was discovered by Chris Meyers (Red Hat).

References

access.redhat.com/security/cve/CVE-2026-12398 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2489180 (RHBZ#2489180) issue-tracking

cve.org (CVE-2026-12398)

nvd.nist.gov (CVE-2026-12398)

Download JSON