Description
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
Published: 2026-06-10
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can exploit an improper access control check on the /api/v1/sources/{id}/image-url endpoint in migration‑planner. The flaw allows the attacker to bypass the ownership verification and retrieve a presigned S3 URL for an Open Virtual Appliance image that belongs to another user. Downloading that image can expose long‑lived agent JSON Web Tokens, source configurations, and other sensitive data, potentially granting the attacker unauthorized access or the ability to modify the victim’s source.

Affected Systems

The affected product is migration‑planner. No specific version range is listed by the CVE, so all versions that have not been patched for this flaw are considered vulnerable.

Risk and Exploitability

The CVSS score of 9.6 reflects a high impact vulnerability with a requirement for user authentication. The EPSS score is not available, and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is over the network by an authenticated attacker who can directly call the vulnerable API endpoint. Because the flaw permits the download of privileged artifacts, it can lead to significant confidentiality breaches and potential compromise of source configurations.

Generated by OpenCVE AI on June 10, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade migration‑planner to a version that includes the access‑control fix
  • Configure the API gateway or application to enforce strict ownership checks on all source‑related endpoints
  • Revoke any existing presigned S3 URLs that may have been exposed and rotate the associated JWTs
  • Monitor for unauthorized usage of S3 URLs and audit API access logs for suspicious activity

Generated by OpenCVE AI on June 10, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
Title Migration-planner: getsourcedownloadurl missing organization check
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:43:33.884Z

Reserved: 2026-06-09T17:03:29.627Z

Link: CVE-2026-53470

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:41.567

Modified: 2026-06-10T15:16:41.567

Link: CVE-2026-53470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses