CVE-2026-52902 - Vulnerability Details - OpenCVE

A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Ansible Automation Platform

No data.

No data.

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-52902
https://bugzilla.redhat.com/show_bug.cgi?id=2486729

History

Tue, 09 Jun 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.
Title		Awxkit: path traversal via yaml !include directive
First Time appeared		Redhat Redhat ansible Automation Platform
Weaknesses		CWE-22
CPEs		cpe:/a:redhat:ansible_automation_platform:2
Vendors & Products		Redhat Redhat ansible Automation Platform
References		https://access.redhat.com/security/cve/CVE-2026-52902 https://bugzilla.redhat.com/show_bug.cgi?id=2486729
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-09T09:33:40.154Z

Updated: 2026-06-09T09:33:40.154Z

Reserved: 2026-06-09T07:23:36.530Z

Link: CVE-2026-52902

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T10:16:44.830

Modified: 2026-06-09T10:16:44.830

Link: CVE-2026-52902

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52902", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-09T07:23:36.530Z", "datePublished": "2026-06-09T09:33:40.154Z", "dateUpdated": "2026-06-09T09:33:40.154Z"}, "containers": {"cna": {"title": "Awxkit: path traversal via yaml !include directive", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using \"awx --conf.format yaml import\". This is a client-side vulnerability requiring user interaction."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-automation-platform-27/ee-supported-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-automation-platform-27/platform-resource-runner-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-52902", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486729", "name": "RHBZ#2486729", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-09T07:17:10.396Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "workarounds": [{"lang": "en", "value": "The following practices would help for avoiding exposure to this flaw:\n\n1) Prioritize the default JSON import format instead of YAML.\n2) Avoid importing YAML files from untrusted sources."}], "timeline": [{"lang": "en", "time": "2026-04-14T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-09T07:17:10.396Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-09T09:33:40.154Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}