Skip to main content

migration-planner CVE-2026-53471

| EUVDEUVD-2026-36031 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-10 redhat GHSA-2fqw-7c6r-2cq6
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 15:06 vuln.today
Analysis Generated
Jun 10, 2026 - 15:06 vuln.today

DescriptionNVD

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

AnalysisAI

Cross-tenant data tampering in kubev2v migration-planner allows an authenticated agent token holder to overwrite inventory and status data belonging to other tenants. The agent-API middleware accepts any valid JWT without verifying the token's source_id claim matches the source ID in the UpdateSourceInventory and UpdateAgentStatus request paths, enabling complete tenant isolation collapse. No public exploit identified at time of analysis, but the upstream fix in PR #1213 (kubev2v/migration-planner) confirms the issue is real and trivially exploitable given a low-privileged agent token.

Technical ContextAI

migration-planner is the Red Hat / kubev2v open-source service that orchestrates VM-to-OpenShift migration assessments, accepting telemetry from per-tenant agents that authenticate to the agent-API via JWTs containing a source_id claim binding the token to a specific migration source. The vulnerability is an authorization (not authentication) flaw - classically CWE-639 (Authorization Bypass Through User-Controlled Key) / CWE-863 (Incorrect Authorization): the JWT signature is verified, but the source_id claim is never compared to the source ID supplied in the request URL/body. The patch in internal/handlers/v1alpha1/agent.go adds explicit agentJWT.SourceID != request.Id.String() checks in UpdateSourceInventory and UpdateAgentStatus, returning HTTP 403 on mismatch - confirming the prior code path performed no per-resource ownership check despite tokens being scoped to a single source.

Affected ProductsAI

kubev2v migration-planner (Red Hat Migration Toolkit for Virtualization assessment component) versions prior to the fix landed in pull request https://github.com/kubev2v/migration-planner/pull/1213 are affected; no CPE strings were published with this advisory and no exact tagged release version is cited in the upstream references. Red Hat tracking is at https://access.redhat.com/security/cve/CVE-2026-53471 and https://bugzilla.redhat.com/show_bug.cgi?id=2487070 - consult those advisories for the authoritative list of affected Red Hat product builds and shipped versions.

RemediationAI

Upstream fix available (PR https://github.com/kubev2v/migration-planner/pull/1213); released patched version not independently confirmed - track the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53471 for the exact downstream build numbers to upgrade to. Until you can deploy the patched build, compensating controls include: rotating and re-issuing all agent JWTs to limit the window for any already-leaked token; placing a reverse proxy or API gateway in front of the agent-API that enforces a per-tenant network or mTLS boundary so agents from tenant A cannot reach the agent-API endpoints scoped to tenant B (trade-off: requires network re-architecture and per-tenant ingress); or temporarily disabling the agent-API endpoints PUT /sources/{id}/inventory and the agent status update path at the ingress layer (trade-off: breaks ongoing migration assessments until the patch is applied). Auditing recent UpdateSourceInventory and UpdateAgentStatus calls for source IDs that do not match the calling agent's token claim will surface prior abuse.

Vendor StatusVendor

Share

CVE-2026-53471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy