CVE-2026-53476

CRITICAL

Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write

Title source: cna

Description

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.

References (3)

Core 3

Core References

Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-53476

Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat

RHBZ#2487233

https://bugzilla.redhat.com/show_bug.cgi?id=2487233

https://github.com/kubev2v/assisted-migration-agent/pull/256

Scores

CVSS v3 9.6

EPSS 0.0029

EPSS Percentile 20.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-59

Status published

Published Jun 10, 2026

Tracked Since Jun 10, 2026