Home

Description

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-10 | Updated 2026-06-10 | Assigner redhat




CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version before 0.13.5
affected

Timeline

2026-06-09:Reported to Red Hat.
2026-06-07:Made public.

References

access.redhat.com/security/cve/CVE-2026-53470 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2487069 (RHBZ#2487069) issue-tracking

github.com/kubev2v/migration-planner/pull/1218

cve.org (CVE-2026-53470)

nvd.nist.gov (CVE-2026-53470)

Download JSON