CVE-2026-52902
Description
awxkit's YAML !include directive allows path traversal, enabling attackers to read arbitrary YAML files from the user's filesystem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
awxkit's YAML !include directive allows path traversal, enabling attackers to read arbitrary YAML files from the user's filesystem.
Vulnerability
A path traversal vulnerability exists in the !include directive within awxkit, the CLI tool for AWX. The extractFile() function in awxkit/yaml_file.py uses os.path.join() with unsanitized user-controlled input from !include tags without performing path containment checks. This affects awxkit versions that include this vulnerable code path.
Exploitation
An attacker must convince a user to download and import a malicious YAML file using the awx --conf.format yaml import command. The !include directive within this crafted YAML file will then be processed, allowing the tool to read arbitrary YAML-formatted files from the user's local filesystem.
Impact
Successful exploitation allows an attacker to read arbitrary YAML-formatted files from the user's filesystem. The contents of these files are then populated into AWX resource fields, potentially making sensitive information accessible via the AWX API or UI. This is a client-side vulnerability requiring user interaction and is limited to reading YAML-formatted files.
Mitigation
Not yet disclosed in the available references. The upstream repository is available at [2].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Package: https://pypi.org/project/awxkit
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The YAML !include directive does not sanitize file paths, allowing arbitrary file reads."
Attack vector
An attacker can craft a malicious YAML file containing a `!include` directive pointing to an arbitrary file on the victim's system. The victim must then import this malicious YAML file using the `awx --conf.format yaml import` command. This vulnerability is client-side and requires user interaction to trigger. The contents of the included file are then populated into AWX resource fields, making them accessible via the AWX API/UI [ref_id=1].
Affected code
The vulnerability resides in the `extractFile()` function located in `awxkit/yaml_file.py`. This function constructs file paths using `os.path.join()` with user-controlled input from `!include` tags without proper sanitization or path containment checks [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory recommends that users avoid importing untrusted YAML files. The vulnerability is in the `extractFile()` function within `awxkit/yaml_file.py`, which uses `os.path.join()` with unsanitized user input from `!include` tags without performing path containment checks [ref_id=1].
Preconditions
- inputThe attacker must provide a malicious YAML file with a crafted `!include` directive.
- inputThe user must import the YAML file using the `--conf.format yaml import` option.
- configThe import format must be YAML, as JSON is the default and not affected.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.