Skip to main content

migration-planner CVE-2026-53469

| EUVDEUVD-2026-36028 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-10 redhat GHSA-6xvf-9742-48w2
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Red Hat
9.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 15:01 vuln.today
Analysis Generated
Jun 10, 2026 - 15:01 vuln.today

DescriptionNVD

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.

AnalysisAI

Mass data deletion in Red Hat's kubev2v migration-planner SaaS platform allows attackers to wipe all customer sources, agents, and assessments via an unprotected DELETE /api/v1/sources endpoint. The endpoint lacks both authorization checks and tenant filtering, so a single request destroys data across the entire multi-tenant deployment. No public exploit identified at time of analysis, but the upstream fix (PR #1227) removes the endpoint entirely, confirming the issue is real and trivially reachable.

Technical ContextAI

migration-planner is the discovery and assessment component of the kubev2v project, used to plan migrations of virtualized workloads (e.g., VMware) into Kubernetes/OpenShift Virtualization. The vulnerable handler is a collection-level DELETE on /api/v1/sources defined in the OpenAPI spec (api/v1alpha1/openapi.yaml) and wired through the generated Go client (internal/api/client/client.gen.go). CWE-306 (Missing Authentication for Critical Function) is the precise root cause: the route accepts the DELETE verb without enforcing an authenticated identity or scoping the deletion to the caller's tenant, so it operates as a bulk wipe across all sources stored by the service.

Affected ProductsAI

Red Hat migration-planner (upstream project kubev2v/migration-planner on GitHub), the discovery/assessment service used in Migration Toolkit for Virtualization workflows. Specific affected versions are not enumerated in the provided NVD or Red Hat data; the upstream fix lands in pull request https://github.com/kubev2v/migration-planner/pull/1227, so any build of migration-planner that predates the merge of PR #1227 and still exposes DELETE /api/v1/sources is vulnerable. Vendor tracking is at https://access.redhat.com/security/cve/CVE-2026-53469 and https://bugzilla.redhat.com/show_bug.cgi?id=2487065.

RemediationAI

Upstream fix available (PR https://github.com/kubev2v/migration-planner/pull/1227); released patched version not independently confirmed - the patch removes the deleteSources operation and its DELETE /api/v1/sources route from the OpenAPI spec and generated client entirely, so update migration-planner to a build that incorporates this PR as soon as Red Hat publishes a tagged release (track https://access.redhat.com/security/cve/CVE-2026-53469 and https://bugzilla.redhat.com/show_bug.cgi?id=2487065). Until a fixed build is deployed, block DELETE requests to /api/v1/sources at an upstream reverse proxy, API gateway, or NetworkPolicy/Ingress - this is safe because the legitimate UI and agents do not need a bulk-delete-all primitive, and individual sources can still be removed via per-resource endpoints. As an additional compensating control, restrict network reachability of the migration-planner API to authenticated operator networks only and enable audit logging on the /api/v1/sources path so any deletion attempt is visible.

Vendor StatusVendor

Share

CVE-2026-53469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy