Skip to main content

awxkit CVE-2026-52902

| EUVDEUVD-2026-35389 MEDIUM
Path Traversal (CWE-22)
2026-06-09 redhat GHSA-g29c-rgq6-gxgj
4.7
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Red Hat
4.7 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 10:39 vuln.today

DescriptionCVE.org

A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.

AnalysisAI

Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file via the AWX CLI. Affecting Red Hat Ansible Automation Platform 2, the vulnerability (CWE-22) allows an unauthenticated attacker who can deliver a malicious YAML file to a victim to read arbitrary YAML-formatted files from that user's local filesystem - including potentially sensitive configuration, credential, or key material files - without any write or execution capability. No public exploit identified at time of analysis; CVSS 4.7 reflects the real-world constraints of local attack vector, high complexity, and mandatory user interaction.

Technical ContextAI

awxkit is the Python-based CLI tool bundled with AWX and Red Hat Ansible Automation Platform 2 (CPE: cpe:2.3:a:red_hat:red_hat_ansible_automation_platform_2). It uses a custom YAML !include directive to allow configuration composition at import time. The root cause (CWE-22 - Improper Limitation of a Pathname to a Restricted Directory) is the absence of path canonicalization or allowlist validation on the argument passed to !include before it is resolved against the local filesystem. When the CLI processes awx --conf.format yaml import, it parses the YAML and blindly follows any !include path, including those containing sequences such as ../../ that traverse outside the intended directory. The attack surface is entirely client-side: the parsing happens in the context of the user executing the CLI, not on a server, which is why CVSS reflects a local (AV:L) attack vector.

RemediationAI

No explicit patched version is identified in currently available data - the advisory references (https://access.redhat.com/security/cve/CVE-2026-52902 and https://bugzilla.redhat.com/show_bug.cgi?id=2486729) should be monitored for an official fix release from Red Hat. Until a patch is available, the primary compensating control is operational: do not run awx --conf.format yaml import against YAML files obtained from untrusted sources, shared repositories, or external parties. If awxkit usage requires importing external configs, inspect YAML files manually for !include directives before importing - specifically checking for path traversal sequences (../) in any !include arguments. Organizations should enforce a policy that AWX YAML imports only occur from files generated internally or cryptographically verified. Note that these controls depend on user discipline and are not enforcement-layer mitigations; they do not eliminate the underlying flaw.

Vendor StatusVendor

Share

CVE-2026-52902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy