Path Traversal in assisted-migration-agent Allows LAN Attacker to Write Arbitrary Files (CVE-2026-53476)

critical-cve-against-infra · active

A critical path traversal flaw in assisted-migration-agent lets an unauthenticated attacker on the same local network craft a malicious gzipped tarball that bypasses security checks and writes arbitrary files to the system, potentially leading to code execution on the appliance.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-7j4w-x8x8-5mvg
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-53476
• ghsahttps://github.com/kubev2v/assisted-migration-agent/pull/256
• nvdhttps://access.redhat.com/security/cve/CVE-2026-53476
• nvdhttps://bugzilla.redhat.com/show_bug.cgi?id=2487233