Description
A deserialization of untrusted data vulnerability was found in ManageIQ. The YamlLoadAliases module overrides YAML.safe_load to silently fall back to YAML.unsafe_load in production when a Psych::DisallowedClass error occurs. An authenticated attacker with dialog import access can exploit this to achieve remote code execution by uploading a crafted YAML payload that triggers the fallback and deserializes arbitrary Ruby objects.
Published: n/a
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in ManageIQ occurs when the YamlLoadAliases module silently substitutes YAML.safe_load with YAML.unsafe_load after a Psych::DisallowedClass error in production. This override permits the deserialization of arbitrary Ruby objects when an authenticated attacker with dialog import access uploads a crafted YAML payload, enabling remote code execution. The flaw represents a classic deserialization weakness, identified as CWE‑502, where untrusted data is materialized into executable code. The attack requires legitimate import privileges but does not rely on arbitrary network exposure, making it an authenticated exploitation scenario.

Affected Systems

ManageIQ platforms are affected. No specific vendor product names or version ranges are supplied in the data, so any installation of ManageIQ that includes the YamlLoadAliases module and uses the default production configuration is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 places this issue in the high‑to‑critical range, and it is not yet listed in CISA’s KEV catalog. Although the EPSS score is not available, the combination of a high severity rating and the requirement for only authenticated import privileges gives the vulnerability a notable risk of exploitation. Attackers must first attain dialog import access, then upload a malicious YAML document, after which the unsafe load causes arbitrary code execution on the host running ManageIQ. The absence of mitigations in the default configuration makes exploitation straightforward for any privileged user.

Generated by OpenCVE AI on June 9, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or update ManageIQ to a release that removes the unsafe fallback for YAML.safe_load in production.
  • Configure Psych to abort on Psych::DisallowedClass errors instead of silently falling back—disabling the automatic switch to unsafe_load.
  • Restrict dialog import permissions to trusted personnel or remove import rights from unprivileged accounts.

Generated by OpenCVE AI on June 9, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Manageiq
Manageiq manageiq
Vendors & Products Manageiq
Manageiq manageiq

Tue, 09 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description A deserialization of untrusted data vulnerability was found in ManageIQ. The YamlLoadAliases module overrides YAML.safe_load to silently fall back to YAML.unsafe_load in production when a Psych::DisallowedClass error occurs. An authenticated attacker with dialog import access can exploit this to achieve remote code execution by uploading a crafted YAML payload that triggers the fallback and deserializes arbitrary Ruby objects.
Title manageiq: YAML safe_load production fallback to unsafe_load enables RCE via deserialization
Weaknesses CWE-502
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Subscriptions

Manageiq Manageiq
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T07:23:47Z

Links: CVE-2026-52903 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T14:30:07Z

Weaknesses