What is the CVSS score of EUVD-2026-36030?

EUVD-2026-36030 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N.

Which versions of migration-planner are affected by EUVD-2026-36030?

Red Hat's kubev2v migration-planner contains a critical SQL injection vulnerability that allows authenticated attackers to read arbitrary files from the SaaS infrastructure, including Kubernetes…

How to fix or mitigate EUVD-2026-36030?

Within 24 hours: Disable new RVTools .xlsx file uploads to the SaaS service; audit all recent file operations and query logs; rotate all Kubernetes service account credentials used by or near the migration-planner service. Within 7 days: Migrate assessment work to offline analysis using kubev2v deployed in an isolated, air-gapped environment without access to production cluster credentials; review all migration assessments conducted via SaaS since deployment for potential data exfiltration. Within 30 days: Apply vendor-released patch once Red Hat releases the fix derived from PR #1231; rebuild and validate kubev2v in production isolation before resuming SaaS-based assessments.

migration-planner EUVD-2026-36030

| CVE-2026-53474 CRITICAL

SQL Injection (CWE-89)

2026-06-10 redhat

GHSA-vf2h-7x3w-97fr

SQLi Kubernetes

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 10, 2026 - 15:04 vuln.today

Analysis Generated

Jun 10, 2026 - 15:04 vuln.today

CVE Published

Jun 10, 2026 - 13:55 nvd

CRITICAL 9.6

DescriptionNVD

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.

Articles & Coverage 1

News Critical SQL Injection in Kubernetes Migration Planner (kubev2v) - CVE-2026-53474 Jun 10, 2026

AnalysisAI

SQL injection in Red Hat's kubev2v migration-planner allows a remote authenticated attacker to upload a crafted RVTools .xlsx file whose cluster-name cells are interpolated unsanitized into DuckDB queries, enabling arbitrary file reads on the host. Because the tool runs as a SaaS migration assessment service, leaked Kubernetes service account tokens or other credentials can pivot to full environment compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate to migration-planner tenant

Delivery

Craft RVTools .xlsx with SQLi in cluster cell

Exploit

Upload file via assessment API

Install

DuckDB executes injected query reading service-account token

Exfiltrate token in query response

Execute

Authenticate to Kubernetes API with stolen token

Impact

Pivot across SaaS environment

Recon

Authenticate to migration-planner tenant

Delivery

Craft RVTools .xlsx with SQLi in cluster cell

Exploit

Upload file via assessment API

Install

DuckDB executes injected query reading service-account token

Exfiltrate token in query response

Execute

Authenticate to Kubernetes API with stolen token

Impact

Pivot across SaaS environment

Vulnerability AssessmentAI

Exploitation	Requires (1) an authenticated account with permission to submit an RVTools .xlsx inventory file to migration-planner (PR:L per CVSS), (2) the upload flowing through any of the vulnerable query builders in pkg/duckdb_parser/builder.go that interpolate Cluster, OS, PowerState, or VmId filters (VMQuery, DatastoreQuery, NetworkQuery, HostQuery, ClusterFeaturesQuery, VMCountQuery, PowerStateCountsQuery, HostPowerStateCountsQuery, CPUTierQuery, MemoryTierQuery, NicTierQuery, ComplexityDistributionQuery, DiskSizeTierQuery, DiskComplexityTierQuery, DiskTypeSummaryQuery), and (3) the DuckDB engine retaining file-read functions such as read_blob/read_csv on the deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.6 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N indicates network-reachable, low-complexity exploitation requiring only low-privileged authentication and no user interaction, with a scope change to the underlying SaaS environment - consistent with the description's claim that file reads expose Kubernetes credentials enabling lateral movement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A tenant user with upload rights crafts an RVTools .xlsx whose Cluster column contains a value like `x' UNION SELECT content FROM read_blob('/var/run/secrets/kubernetes.io/serviceaccount/token') --`, then uploads it through the normal assessment workflow. When migration-planner parses the spreadsheet and builds a DuckDB query against the cluster name, the injected SQL executes, returning the pod's service-account token in the query response or logs, which the attacker then uses to authenticate to the Kubernetes API and pivot across the SaaS environment.
Remediation	Upstream fix available (PR https://github.com/kubev2v/migration-planner/pull/1231); released patched version not independently confirmed - operators of self-hosted migration-planner should rebuild from a commit that includes the escapeSQLString wrapping of ClusterFilter, OSFilter, PowerStateFilter, and VmIDFilter in pkg/duckdb_parser/builder.go, and SaaS users should track Red Hat's advisory at https://access.redhat.com/security/cve/CVE-2026-53474 and Bugzilla 2487231 for the rolled service update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable new RVTools .xlsx file uploads to the SaaS service; audit all recent file operations and query logs; rotate all Kubernetes service account credentials used by or near the migration-planner service. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46389 CRITICAL Act Now

10.0 Jun 05

Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows unauthenticated remo

CVE-2026-32193 HIGH This Week

8.8 Jun 09

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path travers

CVE-2026-44180 CRITICAL Act Now

9.8 Jun 03

Privilege bypass in Jupyter Enterprise Gateway versions 2.0.0rc1 through 3.2.x allows remote unauthenticated attackers t

CVE-2026-45730 HIGH This Week

8.3 Jun 04

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function

CVE-2026-45726 HIGH This Week

7.6 Jun 05

Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users wi

EUVD-2026-36030 vulnerability details – vuln.today

Back