Severity: High (CVSS 8.8)
Affected Systems: Affected products listed in the NVD and vendor advisory
Overview
manageiq: YAML safe_load production fallback to unsafe_load enables RCE via deserializa...
A high vulnerability identified as CVE-2026-52903 has been disclosed.
A deserialization of untrusted data vulnerability was found in ManageIQ. The YamlLoadAliases module overrides YAML.safe_load to silently fall back to YAML.unsafe_load in production when a Psych::DisallowedClass error occurs. An authenticated attacker with dialog import access can exploit this to achieve remote code execution by uploading a crafted YAML payload that triggers the fallback and deserializes arbitrary Ruby objects.
Risk
CVSS and CISA data indicate the following:
- Review the NVD and vendor advisory for exploit conditions and impact
Required Action
Review the linked vendor and NVD advisory, then apply the vendor-provided update or mitigation for the affected product.
Prioritize systems where the affected product is internet-facing, handles authentication, or runs with elevated privileges.
Verify Updates
Confirm whether your environment uses the affected product(s): Affected products listed in the NVD and vendor advisory.
After remediation, verify the installed version against the fixed or unaffected versions listed by the vendor.
Temporary Mitigation (if patch is not available)
Use the mitigation published by the vendor. If no vendor mitigation is available, reduce exposure to the affected product, restrict access to trusted users or networks, and increase monitoring until an update can be applied.
Recommendation
- Use vendor and NVD references as the source of truth for affected versions and remediation
- Patch or mitigate affected products after confirming exposure in your environment
- Monitor affected systems for unusual activity until remediation is complete
Support
If you require assistance, please contact our support team.
Immediate action is strongly recommended to protect your infrastructure.
Source Details
Tuesday, June 9, 2026
