Bug 2489180 (CVE-2026-12398)

Summary: CVE-2026-12398 galaxy_ng: shell injection in legacy role import via unsanitized git ref names
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dschmidt, erezende, jlanda, jmitchel, kshier, pbohmill, simaishi, smcdonal, stcannon, teagle, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-16 13:32:31 UTC
A command injection vulnerability was found in galaxy_ng's legacy role import functionality. The do_git_checkout() function in galaxy_ng/app/api/v1/tasks.py constructs shell commands via f-string interpolation using unsanitized git ref names (branch/tag names from the github_reference parameter) and executes them with subprocess.run(cmd, shell=True). An authenticated user who controls a git repository can create a branch or tag with shell metacharacters (such as ;, |, $(), &, >) in the name, and when the legacy role import processes this reference, the shell metacharacters are interpreted by the shell, achieving remote code execution on the pulp worker process.

The vulnerability requires GALAXY_ENABLE_LEGACY_ROLES to be set to True, which is NOT the default configuration in any shipped version of Red Hat Ansible Automation Platform (2.4 through 2.6). When this setting is False (the default), the v1 API routes are not registered in Django URL routing and the vulnerable endpoint returns 404. However, any deployment that explicitly enables legacy role support (e.g., community-galaxy profile or custom configurations) is exposed to authenticated RCE.

A secondary vector exists via the alternate_clone_url parameter, which accepts arbitrary URLs with no validation (enabling SSRF), though the git clone operation on that path uses shell=False, preventing shell injection via that specific parameter.