CVE-2026-52902 PUBLISHED

Awxkit: path traversal via yaml !include directive

Assigner: redhat
Reserved: 09.06.2026 Published: 09.06.2026 Updated: 09.06.2026

A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 4.7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Ansible Automation Platform 2
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Ansible Automation Platform 2
Versions	Default: affected

Workarounds

The following practices would help for avoiding exposure to this flaw:

1) Prioritize the default JSON import format instead of YAML. 2) Avoid importing YAML files from untrusted sources.

References

Problem Types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE