Skip to main content

migration-planner CVE-2026-53470

| EUVDEUVD-2026-36034 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-10 redhat GHSA-v5m8-5455-qw2x
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 15:10 vuln.today
Analysis Generated
Jun 10, 2026 - 15:10 vuln.today

DescriptionNVD

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/{id}/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

AnalysisAI

{id}/image-url` endpoint to obtain presigned S3 download URLs for OVA images belonging to other users/organizations. The leaked OVA contains long-lived agent JWTs and source configuration, enabling cross-tenant takeover of victim sources. No public exploit identified at time of analysis, but the upstream fix in PR #1218 confirms the access-control gap.

Technical ContextAI

migration-planner is the kubev2v upstream project (used by Red Hat Migration Toolkit for Virtualization) that builds an agent-bearing OVA image per 'source' and serves it via S3 presigned URLs generated by the Go handler ServiceHandler.GetSourceDownloadURL in internal/handlers/v1alpha1/source.go. The root cause maps to CWE-639 (Authorization Bypass Through User-Controlled Key): the handler accepted the {id} UUID from the request and issued a presigned URL without first checking that the calling user's Username and Organization match the source record's Username/OrgID. The fix PR adds an explicit ownership check (user.Username != source.Username || user.Organization != source.OrgID) returning 403, plus a new 500 response path, before invoking sourceSrv.GetSourceDownloadURL. Because the OVA embeds an agent JWT and source config, the disclosure is effectively a credential leak, not just data exposure.

Affected ProductsAI

Affected software is the upstream kubev2v migration-planner project (github.com/kubev2v/migration-planner) prior to the commit merged via pull request #1218; the same code ships in Red Hat's Migration Toolkit for Virtualization (Migration Planner component) - refer to the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53470 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2487069 for the authoritative list of affected Red Hat product versions, as no CPE strings were provided in the source data and exact pre-fix version ranges are not enumerated in the upstream PR.

RemediationAI

Upstream fix available (PR https://github.com/kubev2v/migration-planner/pull/1218); released patched version not independently confirmed from the provided data, so consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53470 for the exact MTV/migration-planner build that includes the ownership check and upgrade to that or later. As an interim compensating control where patching is not immediately possible, restrict the /api/v1/sources/{id}/image-url endpoint at an ingress/reverse-proxy layer to trusted operator accounts only (trade-off: blocks legitimate self-service OVA downloads), rotate any agent JWTs that may have been exposed (trade-off: requires re-deploying agents), and audit recent access logs for cross-tenant GETs on that endpoint to detect prior abuse.

Vendor StatusVendor

Share

CVE-2026-53470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy