HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53476Published Modified CNA redhat

CVE-2026-53476: Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
bcae0438ad8386321a300413d71c982a11b7b5b7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in assisted-migration-agent allows an unauthenticated attacker on the same local network to write arbitrary files to the host system by delivering a specially crafted gzipped tarball containing chained symbolic links. The attacker must be reachable on the LAN but needs no credentials and requires no user interaction. Successful exploitation gives the attacker full read, write, and availability impact on the affected appliance, including the ability to execute unauthorized code. A patched-image rebuild at commit bcae0438ad8386321a300413d71c982a11b7b5b7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from assisted-migration-agent base layers.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each environment's compliance policy to route alerts to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to commit bcae0438ad8386321a300413d71c982a11b7b5b7 is available on HarborGuard for any environment where an affected image version is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on the same adjacent network (LAN or VPN segment) as the target appliance; remote internet-based exploitation is not possible without prior network access.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; the attacker can deliver the malicious tarball without authenticating to the service.

  • Victim interactionNot required

    The exploit completes without any action from a user or administrator on the target system.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or other environmental factors need to align for it to succeed.

Blast Radius

  • Reads any file accessible to the migration agent process, including credentials, private keys, and configuration data stored on the appliance.
  • Writes or overwrites arbitrary files on the host filesystem, including binaries, service configurations, and startup scripts.
  • Achieves remote code execution by planting malicious files in locations that are later executed by the operating system or application runtime.
  • Crashes or degrades the migration agent service by overwriting critical files, disrupting in-flight workload migrations.

How HarborGuard Handles This

Available on HarborGuard: this Critical-severity CVE (CVSS 9.6) is matched against scanned images the moment the advisory is ingested, with no gap for images already in customer registries or those built in active pipelines. A patched-image rebuild at the fix commit (bcae0438ad8386321a300413d71c982a11b7b5b7) is available for any environment where an affected version is present. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so engineering teams can act directly. Given the adjacent-network attack vector, compensating controls such as network-policy isolation restricting lateral LAN access to migration-agent ports are available as an interim measure until the patched image is deployed.

See how HarborGuard automates this

Fix available

bcae0438ad8386321a300413d71c982a11b7b5b7
Affected packages
  • unknown
    < bcae0438ad8386321a300413d71c982a11b7b5b7 (from 0)
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References