Description
A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
Published: 2026-06-10
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in assisted‑migration‑agent enables an unauthenticated attacker on the same local area network to craft a specially designed gzipped tarball that bypasses security checks. By exploiting a path‑traversal flaw, the attacker can write arbitrary files to the system, effectively allowing execution of unauthorized code. This flaw corresponds to CWE‑59 and CWE‑22 and carries a CVSS score of 9.6, indicating critical severity.

Affected Systems

Products affected are instances of the assisted‑migration‑agent software distributed by kubev2v. No specific version information is provided in the advisory, so the vulnerability may exist in all releases prior to the fix.

Risk and Exploitability

The CVSS score of 9.6 signals a very high risk of successful exploitation. EPSS data, indicating a very low exploitation probability (less than 1%), is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local network traffic directed at the agent, as the attacker must be able to deliver a crafted tarball over the LAN. If exploited, the attacker could overwrite critical configuration or binary files and achieve remote code execution on the appliance. This flaw corresponds to CWE‑59 and CWE‑22.

Generated by OpenCVE AI on June 18, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the assisted‑migration‑agent package to the vendor‑supplied fix that addresses the path‑traversal issue.
  • Restrict access to the migration agent by configuring firewall rules or network segmentation so that only trusted hosts can reach it over the LAN.
  • Disable the ability to upload tarball files for migration until the vulnerability is patched.
  • Review any automated migration workflows to ensure they do not use untrusted tarball inputs before remediation is complete.

Generated by OpenCVE AI on June 18, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v assisted Migration Agent
Weaknesses CWE-22
CPEs cpe:2.3:a:kubev2v:assisted_migration_agent:*:*:*:*:*:*:*:*
Vendors & Products Kubev2v assisted Migration Agent

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v
Kubev2v assisted-migration-agent
Vendors & Products Kubev2v
Kubev2v assisted-migration-agent

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
Title Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Kubev2v Assisted-migration-agent Assisted Migration Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:44:30.838Z

Reserved: 2026-06-09T17:03:29.628Z

Link: CVE-2026-53476

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T15:16:42.220

Modified: 2026-06-16T14:52:24.287

Link: CVE-2026-53476

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-07T00:00:00Z

Links: CVE-2026-53476 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')