CVE-2026-11837: Ansible-collection-ansible-posix: ansible.posix authorized_key: local privilege escalation via symlink-following chown
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The keyfile() function uses os.chown() (not os.lchown()) and plain open() (no O_NOFOLLOW) when managing a user's ~/.ssh directory and authorized_keys file. An unprivileged local user can pre-stage symlinks in their ~/.ssh directory. When an operator runs the authorized_key task as root, the module follows the symlinks and changes ownership of arbitrary files/directories to the unprivileged user, enabling root escalation. This is a sibling of CVE-2024-9902 (ansible-core user module), which addressed the same symlink-following class in generate_ssh_key. The authorized_key module in the separate ansible.posix collection was not covered by that fix.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-11837?
The severity of CVE-2026-11837 is rated high with a score of 7.3.
What type of vulnerability is CVE-2026-11837?
CVE-2026-11837 is a local privilege escalation vulnerability found in the ansible.posix authorized_key module.
How can CVE-2026-11837 be exploited?
CVE-2026-11837 can be exploited by an unprivileged local user who can pre-stage symlinks that manipulate the ownership of a user's ~/.ssh directory.
How do I fix CVE-2026-11837?
To fix CVE-2026-11837, update to the latest version of the ansible.posix collection that addresses this vulnerability.
What functions are vulnerable in CVE-2026-11837?
The keyfile() function is vulnerable because it uses os.chown() instead of os.lchown() and does not use O_NOFOLLOW.