Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
AnalysisAI
Mass data deletion in Red Hat's kubev2v migration-planner SaaS platform allows attackers to wipe all customer sources, agents, and assessments via an unprotected DELETE /api/v1/sources endpoint. The endpoint lacks both authorization checks and tenant filtering, so a single request destroys data across the entire multi-tenant deployment. No public exploit identified at time of analysis, but the upstream fix (PR #1227) removes the endpoint entirely, confirming the issue is real and trivially reachable.
Technical ContextAI
migration-planner is the discovery and assessment component of the kubev2v project, used to plan migrations of virtualized workloads (e.g., VMware) into Kubernetes/OpenShift Virtualization. The vulnerable handler is a collection-level DELETE on /api/v1/sources defined in the OpenAPI spec (api/v1alpha1/openapi.yaml) and wired through the generated Go client (internal/api/client/client.gen.go). CWE-306 (Missing Authentication for Critical Function) is the precise root cause: the route accepts the DELETE verb without enforcing an authenticated identity or scoping the deletion to the caller's tenant, so it operates as a bulk wipe across all sources stored by the service.
Affected ProductsAI
Red Hat migration-planner (upstream project kubev2v/migration-planner on GitHub), the discovery/assessment service used in Migration Toolkit for Virtualization workflows. Specific affected versions are not enumerated in the provided NVD or Red Hat data; the upstream fix lands in pull request https://github.com/kubev2v/migration-planner/pull/1227, so any build of migration-planner that predates the merge of PR #1227 and still exposes DELETE /api/v1/sources is vulnerable. Vendor tracking is at https://access.redhat.com/security/cve/CVE-2026-53469 and https://bugzilla.redhat.com/show_bug.cgi?id=2487065.
RemediationAI
Upstream fix available (PR https://github.com/kubev2v/migration-planner/pull/1227); released patched version not independently confirmed - the patch removes the deleteSources operation and its DELETE /api/v1/sources route from the OpenAPI spec and generated client entirely, so update migration-planner to a build that incorporates this PR as soon as Red Hat publishes a tagged release (track https://access.redhat.com/security/cve/CVE-2026-53469 and https://bugzilla.redhat.com/show_bug.cgi?id=2487065). Until a fixed build is deployed, block DELETE requests to /api/v1/sources at an upstream reverse proxy, API gateway, or NetworkPolicy/Ingress - this is safe because the legitimate UI and agents do not need a bulk-delete-all primitive, and individual sources can still be removed via per-resource endpoints. As an additional compensating control, restrict network reachability of the migration-planner API to authenticated operator networks only and enable audit logging on the /api/v1/sources path so any deletion attempt is visible.
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36028
GHSA-6xvf-9742-48w2