CVE-2026-11837

Summary

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

  1. Do not run the ansible.posix authorized_key module with elevated privileges against untrusted user accounts.
  2. Validate that target user home directories do not contain unexpected symbolic links before running playbooks.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

Additional References

References