CVE-2026-53476
Analyzed Analyzed - Analysis Complete

Path Traversal in Assisted Migration Agent via Malicious gzipped Tarball

Publication date: 2026-06-10

Last updated on: 2026-06-16

Assigner: Red Hat, Inc.

Description
A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-16
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-53476
EUVD
EUVD-2026-36033

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kubev2v assisted_migration_agent to 2026-06-07 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers on the local area network to write arbitrary files and potentially execute unauthorized code with elevated privileges. This could lead to manipulation of configuration files, persistent code execution, and credential exfiltration.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data integrity, confidentiality, and system security.

Specifically, the risk of credential exfiltration and unauthorized code execution could lead to breaches of sensitive personal or health information, violating regulatory requirements for protecting such data.

Executive Summary

This vulnerability is a path traversal flaw in the assisted-migration-agent's VDDK tarball extraction process. An unauthenticated attacker on the same local area network (LAN) can craft a malicious gzipped tarball containing symbolic links (symlinks) that bypass the existing security checks. These symlinks allow the attacker to write arbitrary files outside the intended extraction directory by exploiting weaknesses in the path validation logic.

The vulnerability arises because the extraction function relies on lexical path checks that do not resolve symlinks properly, enabling chained symlink attacks. This can lead to unauthorized file writes as the user ID 1001, potentially overwriting critical system files or configuration files.

Impact Analysis

Exploitation of this vulnerability can have severe impacts, including arbitrary file writes on the system running the assisted-migration-agent. This can lead to manipulation of configuration files, persistent unauthorized code execution, and credential exfiltration.

Since the agent runs with vCenter admin privileges, an attacker could potentially gain full system compromise, resulting in loss of confidentiality, integrity, and availability of the affected appliance.

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious tarball uploads or extraction activities on the assisted-migration-agent, specifically targeting the PUT /inspector/vddk endpoint which processes gzipped tarballs.

Since the vulnerability exploits path traversal via crafted symlinks inside tarballs, you can detect attempts by inspecting tarball contents for unusual or suspicious symlinks that point outside the intended extraction directory.

Suggested commands include extracting and inspecting tarballs manually or via scripts to look for symlinks that could lead to path traversal:

  • Use tar to list contents and identify symlinks: tar -tvf suspicious.tar.gz
  • Extract tarball in a safe directory and check for symlinks pointing outside: tar -xvzf suspicious.tar.gz -C /tmp/safe_dir && find /tmp/safe_dir -type l -exec ls -l {} \;
  • Check logs or network traffic for unusual PUT requests to /inspector/vddk endpoint carrying tarballs.

Additionally, monitoring file writes by UID 1001 (the user under which the agent runs) to sensitive paths like /var/lib/agent/config or /app/.cache may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation involves applying the patch that fixes the path traversal vulnerability by implementing symlink resolution checks before file creation.

The patch ensures that the resolved parent directories of extracted files remain within the intended destination directory, preventing arbitrary file writes outside the extraction path.

Until the patch is applied, restrict access to the assisted-migration-agent's PUT /inspector/vddk endpoint to trusted LAN clients only, as the vulnerability requires LAN adjacency.

Monitor and audit any tarball uploads and extraction activities for suspicious patterns or unexpected file writes.

If possible, run the agent with least privilege and avoid running it with vCenter admin privileges to limit the impact of potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53476. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart