Description
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Published: 2026-06-10
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can send a DELETE request to /api/v1/sources in migration‑planner, which lacks proper authorization, resulting in the deletion of all tenant data such as sources, agents, and assessments. The flaw allows an attacker to indiscriminately erase critical data, causing loss of availability and integrity for the entire SaaS platform.

Affected Systems

Migration‑planner is the affected SaaS platform. No specific vendor, product version or CPE string is disclosed in the available data.

Risk and Exploitability

The CVSS score of 9.1 indicates severe risk, and the flaw can be exploited by any authenticated user with API access. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of authorization controls makes exploitation likely if credentials are obtained or misused.

Generated by OpenCVE AI on June 10, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest migration‑planner release that includes the authorization fix
  • Ensure that only trusted users have API delete privileges and audit deletions
  • Monitor and restrict API traffic to mitigate accidental or malicious data wipes

Generated by OpenCVE AI on June 10, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v
Kubev2v migration-planner
Vendors & Products Kubev2v
Kubev2v migration-planner

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Title Migration-planner: unprotected delete endpoint wipes all tenant data
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Kubev2v Migration-planner
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:49:35.776Z

Reserved: 2026-06-09T17:03:29.627Z

Link: CVE-2026-53469

cve-icon Vulnrichment

Updated: 2026-06-10T14:49:31.621Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T15:16:41.430

Modified: 2026-06-10T19:24:04.320

Link: CVE-2026-53469

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-07T00:00:00Z

Links: CVE-2026-53469 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:41:56Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function