CVE-2026-52902

Summary

A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx –conf.format yaml import". This is a client-side vulnerability requiring user interaction.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Workarounds

The following practices would help for avoiding exposure to this flaw:

  1. Prioritize the default JSON import format instead of YAML.
  2. Avoid importing YAML files from untrusted sources.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References