EUVD-2026-36033
GHSA-7j4w-x8x8-5mvg
Severity by source
AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.
AnalysisAI
Arbitrary file write in kubev2v assisted-migration-agent allows an unauthenticated attacker on the same LAN to achieve code execution on the appliance by uploading a crafted gzipped tarball that bypasses path traversal checks via chained symlinks. The flaw resides in the VDDK tarball extraction routine (extractTarGz in internal/services/vddk.go) and has a high CVSS of 9.6 due to scope change and full CIA impact, though no public exploit has been identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be on the same Layer-2/Layer-3 adjacent network as the appliance (CVSS AV:A) and able to reach the assisted-migration-agent's VDDK tarball upload interface (the Upload method on VddkService). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 9.6 score reflects genuinely severe impact (Scope:Changed, C/I/A:High) but the attack vector is AV:A (Adjacent Network), not Network - exploitation requires the attacker to be on the same LAN as the appliance, which materially limits exposure compared to internet-reachable RCE bugs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained a foothold on any host in the same LAN as the assisted-migration-agent (for example, via a compromised migration source VM or another tenant on a shared management network) sends a crafted gzipped tarball to the agent's upload endpoint masquerading as a VDDK package. The tarball contains a symlink entry such as 'a/x -> ..' followed by a regular file 'a/x/evil.sh', causing the extractor to write the payload outside the destination directory - for example into a systemd unit path or a binary search path - leading to code execution as the agent's service account on next invocation. … |
| Remediation | Upstream fix available (PR/commit https://github.com/kubev2v/assisted-migration-agent/pull/256); a released patched version is not independently confirmed in the provided intelligence, so consumers should pull a build that includes the PR #256 changes to internal/services/vddk.go or track the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53476 for an updated package. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Confirm kubev2v assisted-migration-agent deployments in your environment; immediately isolate affected appliances to protected networks and restrict LAN access to authorized migration sources only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today