CVE-2026-52902
MediumCVSS 4.7Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using 'awx --conf.format yaml import'.
Risk Assessment
This vulnerability poses a risk that a malicious YAML file could be imported by a user, leading to unauthorized access to data on the local filesystem.
Recommendation
It is recommended that users avoid importing YAML files from untrusted sources and update awxkit to the latest version that addresses this vulnerability.
Original NVD description (English source)
A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.

