Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write
CVE-2026-53476

9.6CRITICAL

Key Information:

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-53476?

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.

References

https://access.redhat.com/security/cve/CVE-2026-53476
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2487233
issue-trackingx_refsource_REDHAT
https://github.com/kubev2v/assisted-migration-agent/pull/256

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.