PatchSiren cyber security CVE debrief
CVE-2026-52902 Red Hat CVE debrief
A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using 'awx --conf.format yaml import'. This is a client-side vulnerability requiring user interaction.
- Vendor
- Red Hat
- Product
- Red Hat Ansible Automation Platform 2
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of awxkit, the CLI tool for AWX, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 4.7 and is classified as MEDIUM severity. It was published on [cvePublishedAt] and last modified on [cveModifiedAt].
Defensive priority
MEDIUM
Recommended defensive actions
- Users should exercise caution when importing YAML files using awxkit and ensure that the files are from trusted sources.
- Users should consider updating to a version of awxkit that addresses this vulnerability.
Evidence notes
The vulnerability was reported by an unknown vendor, but evidence suggests a connection to Redhat.
Official resources
CVE-2026-52902 was published on 2026-06-09T10:16:44.830Z and last modified on 2026-06-09T13:49:39.993Z.