CVE-2026-11837
Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected products
Red Hat · Red Hat Enterprise Linux 10Red Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 9Red Hat · Red Hat OpenStack Platform 17.1Red Hat · Red Hat OpenStack Platform 18.0public PoCs found — 1
githubgithub.com/M8seven/cve-2026-11837-ansible-posix-authorized-key★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →