CVE-2026-12398
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Workarounds
The following practices would help for avoiding exposure and mitigate this flaw:
Ensure that GALAXY_ENABLE_LEGACY_ROLES is set to False (the default) in your Galaxy/Hub configuration. This prevents the v1 API routes from being registered, making the vulnerable endpoint entirely unreachable.
If legacy role support must be enabled, restrict access to the Galaxy/Hub API to trusted users only. The vulnerability requires authentication, so limiting who can authenticate reduces exposure.
Monitor import activity for suspicious git references containing shell metacharacters in branch or tag names.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/security/cve/CVE-2026-12398
- https://bugzilla.redhat.com/show_bug.cgi?id=2489180
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.