PatchSiren cyber security CVE debrief
CVE-2026-12398 Red Hat CVE debrief
CVE-2026-12398 is a HIGH severity vulnerability with a CVSS score of 7.5. A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
- Vendor
- Red Hat
- Product
- Red Hat Ansible Automation Platform 2
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of galaxy_ng, particularly those who have GALAXY_ENABLE_LEGACY_ROLES set to True, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The do_git_checkout() function in the legacy role import API (v1) of galaxy_ng is vulnerable to command injection. An authenticated user can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker.
Defensive priority
HIGH
Recommended defensive actions
- Update galaxy_ng to a version that fixes the command injection vulnerability.
- Disable the legacy role import API (v1) if not needed.
- Set GALAXY_ENABLE_LEGACY_ROLES to False if possible.
Evidence notes
The CVE-2026-12398 record was obtained from the NVD database. Additional information was obtained from Red Hat's security advisory (see resourceLinkAnnotations).
Official resources
CVE-2026-12398 was published on 2026-06-16T15:16:36.103Z and modified on 2026-06-16T15:26:04.250Z.