CVE-2026-11837: Ansible Posix authorized_key Local Privilege Escalation
A vulnerability in Ansible's posix authorized_key module allows a local user to escalate their privileges to root. The flaw stems from how the module handles SSH key file operations: it follows symbolic links when changing file ownership instead of operating directly on the link itself. An attacker with a local account can create malicious symbolic links in their .ssh directory, then wait for a system administrator to run an Ansible task that manages authorized keys with elevated privileges. When that happens, the module will change ownership of arbitrary files on the system—potentially giving the attacker control over critical system files and full system access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-59
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-15
NVD description (verbatim)
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The ansible.posix authorized_key module contains an insecure file handling vulnerability in its keyfile() function. The vulnerability has two components: (1) the function uses os.chown() rather than os.lchown(), causing it to follow symbolic links and modify the target file's ownership rather than the link itself, and (2) files are opened without the O_NOFOLLOW flag, allowing symlink-based attacks. When an operator executes an authorized_key task with root privileges, an unprivileged local user who has pre-staged symbolic links in their ~/.ssh directory can cause arbitrary files elsewhere on the system to be chown'd to their ownership. This breaks the intended isolation between user and system-owned resources, enabling privilege escalation. The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access, also known as 'Link Following').
Business impact
This vulnerability enables direct privilege escalation from an unprivileged local account to root on systems running affected Ansible versions. Organizations using Ansible for infrastructure automation—particularly those running authorized_key tasks as part of provisioning, configuration management, or incident response workflows—face a material risk: any administrator who executes an authorized_key task can inadvertently grant root-level file access to a local attacker. This is especially dangerous in shared hosting, multi-tenant, or DevOps environments where developers or build agents may have local account access. Compromise can lead to unauthorized system modifications, data theft, malware persistence, or lateral movement within the infrastructure.
Affected systems
This vulnerability affects the ansible.posix collection's authorized_key module. The vulnerability manifests when: (1) an unprivileged local user has an account on the system, (2) Ansible runs the authorized_key task with elevated (root) privileges, and (3) the module attempts to manage SSH key files in user home directories. Systems where Ansible is deployed for configuration management, infrastructure provisioning, or automated key rotation are at risk. The vulnerability does not require network access to exploit—it is purely local—but requires user interaction in the sense that an administrator must trigger an authorized_key task while the attacker's symbolic links are in place.
Exploitability
Exploitability is straightforward for a local attacker. The attack requires: (1) a valid local user account (low barrier in shared environments), (2) knowledge of when an authorized_key task will run (often predictable in automated systems), and (3) ability to create symbolic links in ~/.ssh (standard file system permissions). The CVSS vector (AV:L/AC:L/PR:L/UI:R) reflects that local access and low complexity are required, but user interaction (UI:R) is needed—specifically, an administrator must run the authorized_key task. In environments with automated, regularly scheduled Ansible runs, the timing becomes less of a barrier. No authentication bypass or complex exploitation technique is required; the vulnerability is a straightforward symlink race condition.
Remediation
Remediation requires updating ansible.posix to a patched version that corrects the authorized_key module's file handling. The fix involves replacing os.chown() with os.lchown() and adding O_NOFOLLOW when opening files, ensuring the module operates directly on the target file and does not follow symbolic links. Additionally, organizations should audit their Ansible automation to identify which tasks run with elevated privileges and restrict execution to trusted operators. Where possible, use Ansible execution environments or containerization to limit local account access on systems running Ansible playbooks. Review logs for any authorized_key tasks executed during the vulnerability exposure window to detect potential exploitation.
Patch guidance
Check the ansible.posix collection release notes and advisory channels for patched versions. Updates will be released through the standard Ansible Galaxy and pip distribution channels. Verify against the vendor advisory for specific version numbers addressing this flaw. Organizations should test patches in a non-production environment before deployment to ensure compatibility with existing playbooks and configurations. Consider coordinating patch deployment with change management processes to minimize disruption to automation workflows.
Detection guidance
Monitor for unauthorized_key tasks running with elevated privileges, particularly any that execute outside of expected maintenance windows or with unexpected frequency. Audit system logs and Ansible execution logs for evidence of chown() operations on unexpected files, especially in critical system directories (e.g., /etc, /root). Check for the presence of symbolic links in user .ssh directories that do not point to expected files—this may indicate an attempted exploitation setup. Host-based file integrity monitoring (FIM) can alert on unexpected ownership changes to sensitive files. In security investigations, correlate Ansible task execution timestamps with sudden privilege level changes or suspicious file ownership modifications.
Why prioritize this
This vulnerability merits prompt attention due to its direct path to root privilege escalation combined with the commonality of local user accounts in production environments. The CVSS 7.3 HIGH score reflects the severity, and although KEV status is not currently assigned, the combination of high impact (compromise of system integrity and confidentiality), low attack complexity, and the widespread use of Ansible in infrastructure automation makes this a strong candidate for rapid patching. Organizations managing many systems via Ansible should prioritize this in their patch queue, especially if running playbooks as root.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) is derived from: Attack Vector: Local (AV:L)—requires local system access; Attack Complexity: Low (AC:L)—no special conditions needed beyond predictable task execution; Privileges Required: Low (PR:L)—an unprivileged local account suffices; User Interaction: Required (UI:R)—an administrator must trigger the authorized_key task; Scope: Unchanged (S:U)—the impact is confined to the affected system; Confidentiality: High (C:H)—attacker can read sensitive files after escalation; Integrity: High (I:H)—attacker can modify critical files; Availability: High (A:H)—attacker can delete or disable services. The overall score reflects a serious vulnerability that an insider or low-privileged local user can exploit reliably to gain full system control, but that does require administrator action to trigger.
Frequently asked questions
Do I need to be an Ansible operator to exploit this vulnerability?
No. You need to be a local user on a system where Ansible is configured to run authorized_key tasks with elevated privileges. An unprivileged local account is sufficient. The administrator running Ansible is the one who enables the vulnerability; the attacker simply pre-stages symbolic links and waits.
Can this vulnerability be exploited remotely?
No. The attack vector is purely local (AV:L in the CVSS vector). Remote attackers cannot exploit this vulnerability directly. However, in cloud or shared hosting scenarios, obtaining a local account through another vulnerability or misconfiguration could enable this attack.
What's the difference between os.chown() and os.lchown(), and why does it matter here?
os.chown() follows symbolic links and modifies the ownership of the target file. os.lchown() modifies the ownership of the link itself without following it. In this vulnerability, the use of os.chown() allows an attacker's symlink to redirect the ownership change to any file on the system, such as a setuid binary or system configuration file, rather than just the attacker's own key file.
If I run Ansible with a non-root user, am I protected?
This vulnerability requires the authorized_key task to run with elevated (typically root) privileges to be exploitable for privilege escalation. If Ansible runs as an unprivileged user, the impact is reduced, though the module's insecure file handling remains a design flaw. However, running Ansible as non-root may not be practical in all environments, so patching is the recommended mitigation regardless.
This analysis is provided for informational purposes and represents the state of publicly available information as of the publication date. Vulnerability details and patch availability are subject to change. Organizations should verify all technical claims, patch version numbers, and vendor guidance directly against official Ansible and ansible.posix security advisories before taking remedial action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for decisions made based on this content. Always conduct your own security assessment appropriate to your environment and risk profile. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-41236HIGHFroxlor 2.3.6 Symlink Privilege Escalation to Root
- CVE-2026-42989HIGHWindows Winlogon Privilege Escalation Vulnerability Analysis
- CVE-2026-45586HIGHWindows Collaborative Translation Framework Privilege Escalation Vulnerability
- CVE-2026-49135HIGHCodexBar Insecure Temporary File Handling Allows Local Credential Theft
- CVE-2026-50511HIGHMicrosoft PC Manager Local Privilege Escalation via Link Following
- CVE-2026-9804HIGHKubeVirt virt-exportserver Path Traversal Information Disclosure
- CVE-2026-11322MEDIUMHermes WebUI Path Traversal Vulnerability – Credential Exposure Risk
- CVE-2026-11853MEDIUMDebusine Arbitrary Symlink Creation via Manifest Path Traversal