CVE-2026-53470
published 2026-06-10CVE-2026-53470: A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url`…
PriorityP261critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.28%
19.7th percentile
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated requests to the `/api/v1/sources/{id}/image-url` endpoint where the requesting user's organization/username does not match the organization/username associated with the source UUID in the path. Cross-reference the bearer token identity against source ownership. ↗
- →Alert on repeated or cross-user calls to the image-url endpoint — particularly where a single authenticated identity queries multiple distinct source UUIDs (UUIDv4) in rapid succession, which may indicate enumeration of other users' OVA images. ↗
- →Audit the vulnerable code path in `internal/handlers/v1alpha1/source.go` at line 236 for the missing ownership check (`user.Organization == source.OrgID`). Patch by fetching the source first and comparing user.Username/user.Organization against source.Username/source.OrgID, returning 404 on mismatch. ↗
- →Treat any presigned S3 URLs returned by the image-url endpoint as potentially compromised if issued to a user who does not own the source. OVA images embed long-lived agent JWTs and source configurations that can be used for further unauthorized access. ↗
- ·The vulnerability only affects authenticated users — an attacker must possess a valid bearer token to exploit the missing ownership check. Unauthenticated access is not the attack vector. ↗
- ·The fix recommendation is to return HTTP 404 (not 403) on ownership mismatch to avoid acting as an existence oracle for source UUIDs belonging to other organizations. ↗
- ·This vulnerability can be chained with a separate issue (referenced as 'f002') to allow an attacker to write to the victim's source using the stolen agent JWT, amplifying the impact beyond read-only disclosure. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
migration-planner: GetSourceDownloadURL Missing Organization Check
vendor_redhat·2026-06-07·CVSS 9.6
CVE-2026-53470 [CRITICAL] CWE-639 migration-planner: GetSourceDownloadURL Missing Organization Check
migration-planner: GetSourceDownloadURL Missing Organization Check
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
GHSA
A flaw was found in migration-planner.
ghsa_unreviewed·2026-06-10
CVE-2026-53470 [CRITICAL] CWE-639 A flaw was found in migration-planner.
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
VulDB
migration-planner up to 0.13.4 OVA Image /api/v1/sources authorization
vuldb·2026-06-10·CVSS 9.6
CVE-2026-53470 [CRITICAL] migration-planner up to 0.13.4 OVA Image /api/v1/sources authorization
A vulnerability categorized as critical has been discovered in migration-planner up to 0.13.4. Affected is an unknown function of the file /api/v1/sources of the component OVA Image Handler. The manipulation results in authorization bypass.
This vulnerability is reported as CVE-2026-53470. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
2026-06-10
Published