Description
A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
Published: 2026-06-10
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in assisted‑migration‑agent enables an unauthenticated attacker on the same local area network to craft a specially designed gzipped tarball that bypasses security checks. By exploiting a path‑traversal flaw, the attacker can write arbitrary files to the system, effectively allowing execution of unauthorized code. This flaw corresponds to CWE‑59 and carries a CVSS score of 9.6, indicating critical severity.

Affected Systems

Products affected are instances of the assisted‑migration‑agent software distributed by Red Hat. No specific version information is provided in the advisory, so the vulnerability may exist in all releases prior to the fix.

Risk and Exploitability

The CVSS score of 9.6 signals a very high risk of successful exploitation. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local network traffic directed at the agent, as the attacker must be able to deliver a crafted tarball over the LAN. If exploited, the attacker could overwrite critical configuration or binary files and achieve remote code execution on the appliance.

Generated by OpenCVE AI on June 10, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the assisted‑migration‑agent package to the vendor‑supplied fix that addresses the path‑traversal issue.
  • Restrict access to the migration agent by configuring firewall rules or network segmentation so that only trusted hosts can reach it over the LAN.
  • Disable the ability to upload tarball files for migration until the vulnerability is patched.
  • Review any automated migration workflows to ensure they do not use untrusted tarball inputs before remediation is complete.

Generated by OpenCVE AI on June 10, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
Title Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:44:30.838Z

Reserved: 2026-06-09T17:03:29.628Z

Link: CVE-2026-53476

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:42.220

Modified: 2026-06-10T15:16:42.220

Link: CVE-2026-53476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses