CVE-2026-53471
published 2026-06-10CVE-2026-53471: A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and…
PriorityP258critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
0.29%
20.3th percentile
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable handlers are UpdateSourceInventory and UpdateAgentStatus in the agent-API middleware — monitor for requests to these endpoints where the JWT source_id claim does not match the source ID in the URL path or request body, which indicates cross-tenant manipulation attempts. ↗
- →The vulnerable code is located at internal/handlers/v1alpha1/agent.go line 39 in the migration-planner repository — patch review and code auditing should focus on this file. ↗
- →Detection should alert when a valid agent JWT is used to write to a source ID that does not match the token's source_id claim — the helper functions auth.AgentFromContext / MustHaveAgent exist but have zero call sites, meaning no enforcement is currently in place. ↗
- →Watch for agent API requests that include a credentialUrl field being written to a tenant other than the one associated with the presenting JWT — this is the primary indicator of malicious credential URL planting. ↗
- →This vulnerability chains with a separate issue (f003) enabling full cross-tenant write from any Hybrid Cloud Console login — investigate correlated cross-tenant write activity across both the agent surface and the HCC login surface. ↗
- ·The fix requires reading auth.MustHaveAgent(ctx).SourceID in both UpdateSourceInventory and UpdateAgentStatus handlers and returning HTTP 403 when the JWT source_id claim does not match the target source — without this, any valid agent token grants write access to every tenant's source. ↗
- ·Each agent OVA is expected to carry a JWT with a source_id claim scoped to a single source — deployments should verify that JWT issuance enforces this single-source scoping and that tokens are not reusable across tenants. ↗
- ·The agent-API middleware does validate JWT signatures and stores claims in context, but claim enforcement is entirely absent at the handler level — signature validation alone is insufficient to prevent cross-tenant abuse. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
migration-planner up to 0.13.4 UpdateSourceInventory/UpdateAgentStatus authorization
vuldb·2026-06-10·CVSS 9.6
CVE-2026-53471 [CRITICAL] migration-planner up to 0.13.4 UpdateSourceInventory/UpdateAgentStatus authorization
A vulnerability identified as critical has been detected in migration-planner up to 0.13.4. Affected by this vulnerability is the function UpdateSourceInventory/UpdateAgentStatus. This manipulation causes authorization bypass.
This vulnerability appears as CVE-2026-53471. The attack may be initiated remotely. There is no available exploit.
You should upgrade the affected component.
GHSA
A flaw was found in migration-planner.
ghsa_unreviewed·2026-06-10
CVE-2026-53471 [CRITICAL] CWE-639 A flaw was found in migration-planner.
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.
Red Hat
migration-planner: Agent API Ignores JWT source_id Claim
vendor_redhat·2026-06-07·CVSS 9.6
CVE-2026-53471 [CRITICAL] CWE-639 migration-planner: Agent API Ignores JWT source_id Claim
migration-planner: Agent API Ignores JWT source_id Claim
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.
No detection rules found.
No public exploits indexed.
2026-06-10
Published