CVE-2026-12398

A command injection vulnerability was found in galaxy ng. The do git checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY ENABLE LEGACY ROLES is set to True, which is not the default configuration.