diff --git a/roles/mirrormanager/frontend2/files/xmlrpc.py b/roles/mirrormanager/frontend2/files/xmlrpc.py
new file mode 100644
index 0000000000..804f43afc8
--- /dev/null
+++ b/roles/mirrormanager/frontend2/files/xmlrpc.py
@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright © 2014  Red Hat, Inc.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions
+# of the GNU General Public License v.2, or (at your option) any later
+# version.  This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY expressed or implied, including the
+# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more details.  You
+# should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# Any Red Hat trademarks that are incorporated in the source
+# code or documentation are not subject to the GNU General Public
+# License and may only be used or replicated with the express permission
+# of Red Hat, Inc.
+#
+
+'''
+MirrorManager2 xmlrpc controller.
+'''
+
+import base64
+import pickle
+import bz2
+
+import flask
+from flaskext.xmlrpc import XMLRPCHandler, Fault
+
+from mirrormanager2.app import APP, ADMIN, SESSION
+from mirrormanager2.lib import model
+from mirrormanager2.lib.hostconfig import read_host_config
+
+
+XMLRPC = XMLRPCHandler('xmlrpc')
+XMLRPC.connect(APP, '/xmlrpc')
+
+
+@XMLRPC.register
+def checkin(pickledata):
+    config = pickle.loads(bz2.decompress(base64.urlsafe_b64decode(pickledata)))
+    r, message = read_host_config(SESSION, config)
+    if r is not None:
+        return message + 'checked in successful'
+    else:
+        return message + 'error checking in'
diff --git a/roles/mirrormanager/frontend2/tasks/main.yml b/roles/mirrormanager/frontend2/tasks/main.yml
index b2ed34e147..b069a55aa3 100644
--- a/roles/mirrormanager/frontend2/tasks/main.yml
+++ b/roles/mirrormanager/frontend2/tasks/main.yml
@@ -156,3 +156,22 @@
   - f-dot.png
   tags:
   - mm2_frontend
+
+# This hotfix is to allow json submission (Related: CVE-2016-1000003)
+- name: Hotfix xmlrpc to allow json submissions
+  file: src=xmlrpc.py dest=/usr/lib/python2.7/site-packages/mirrormanager2/xmlrpc.py
+        owner=root group=root mode=0644
+  notify:
+  - reload httpd
+  tags:
+  - mm2_frontend
+
+- name: Remove python cache files for xmlrpc code
+  file: path={{item}} state=absent
+  with_items:
+  - /usr/lib/python2.7/site-packages/mirrormanager2/xmlrpc.pyc
+  - /usr/lib/python2.7/site-packages/mirrormanager2/xmlrpc.pyo
+  notify:
+  - reload httpd
+  tags:
+  - mm2_frontend