CVE-2026-53476 PUBLISHED

Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write

Assigner: redhat
Reserved: 09.06.2026 Published: 10.06.2026 Updated: 10.06.2026

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.6

Attack Vector	Adjacent Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://github.com/kubev2v/assisted-migration-agent
Package Name	assisted-migration-agent
Versions	Default: unaffected affected from 0 to bcae0438ad8386321a300413d71c982a11b7b5b7 (excl.)

References

Problem Types

Improper Link Resolution Before File Access ('Link Following') CWE