Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions.
AnalysisAI
Stored cross-site scripting in Red Hat's migration-planner-ui-app (kubev2v project) allows an authenticated attacker who can register a discovery agent to inject a javascript: URI into the agent's credentialUrl field, which executes in another organizational user's browser when they click the resulting link in the UI. No public exploit identified at time of analysis, but the upstream fix (PR #750) and Red Hat Bugzilla entry confirm the issue is real and patched via a safeExternalUrl protocol allowlist. Successful exploitation hijacks the victim's Red Hat SSO session and enables cross-tenant data access and API actions.
Technical ContextAI
migration-planner-ui-app is the React/TypeScript front-end of the kubev2v migration-planner, a tool that helps assess and migrate VMware workloads onto Red Hat OpenShift Virtualization. The vulnerable code path is in src/ui/assessment/views/CreateFromOva.tsx, which rendered an anchor tag whose href was taken directly from vm.createdSource.agent.credentialUrl - an attacker-controlled string returned by the discovery agent registration API. Because React does not sanitize the href attribute, a javascript: scheme URI passes through unchanged and executes in the click handler's origin (CWE-79, Improper Neutralization of Input During Web Page Generation). The fix introduces a safeExternalUrl() helper that parses the value with the URL constructor and only returns it if the protocol is http: or https:, blocking javascript:, data:, vbscript:, file:, and ftp: schemes.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - upgrade migration-planner-ui-app to a build containing https://github.com/kubev2v/migration-planner-ui-app/pull/750, which routes credentialUrl through the new safeExternalUrl() helper that rejects any scheme other than http: or https:. For Red Hat-shipped deployments, monitor https://access.redhat.com/security/cve/CVE-2026-53473 and Bugzilla 2487107 for the exact errata and update affected migration-planner images when published. As an interim compensating control until the patched image is deployed, restrict who can register discovery agents (the attacker capability that is the precondition) to trusted operators only, and instruct organizational users not to click credentialUrl links from agents they did not provision themselves; a stronger but more disruptive option is to deploy a Content-Security-Policy that disallows inline script execution on the migration-planner UI origin, accepting that this may break other UI features that rely on inline handlers and should be tested in staging first.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36029
GHSA-g89r-93r3-rqqp