Home

Description

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-10 | Updated 2026-06-10 | Assigner redhat




CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version before 0.13.5
affected

Timeline

2026-06-09:Reported to Red Hat.
2026-06-07:Made public.

References

access.redhat.com/security/cve/CVE-2026-53471 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2487070 (RHBZ#2487070) issue-tracking

github.com/kubev2v/migration-planner/pull/1213

cve.org (CVE-2026-53471)

nvd.nist.gov (CVE-2026-53471)

Download JSON