Description
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Published: 2026-06-10
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can send a DELETE request to /api/v1/sources in migration‑planner, which lacks proper authorization, resulting in the deletion of all tenant data such as sources, agents, and assessments. The flaw allows an attacker to indiscriminately erase critical data, causing loss of availability and integrity for the entire SaaS platform.

Affected Systems

Migration‑planner is the affected SaaS platform. No specific vendor, product version or CPE string is disclosed in the available data.

Risk and Exploitability

The CVSS score of 9.1 indicates severe risk, and the flaw can be exploited by any authenticated user with API access. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of authorization controls makes exploitation likely if credentials are obtained or misused.

Generated by OpenCVE AI on June 10, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest migration‑planner release that includes the authorization fix
  • Ensure that only trusted users have API delete privileges and audit deletions
  • Monitor and restrict API traffic to mitigate accidental or malicious data wipes

Generated by OpenCVE AI on June 10, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
Title Migration-planner: unprotected delete endpoint wipes all tenant data
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:49:35.776Z

Reserved: 2026-06-09T17:03:29.627Z

Link: CVE-2026-53469

cve-icon Vulnrichment

Updated: 2026-06-10T14:49:31.621Z

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:41.430

Modified: 2026-06-10T15:16:41.430

Link: CVE-2026-53469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses