PatchSiren cyber security CVE debrief
CVE-2026-53470 Red Hat CVE debrief
CVE-2026-53470: A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
- Vendor
- Red Hat
- Product
- migration-planner
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of migration-planner, especially those with sensitive information in OVA images.
Technical summary
The vulnerability has a CVSS score of 9.6 and is classified as CRITICAL. It exists in the `/api/v1/sources/{id}/image-url` endpoint, where an authenticated attacker can bypass ownership checks to obtain presigned S3 URLs for OVA images belonging to other users.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the improper access control vulnerability.
- Restrict access to the `/api/v1/sources/{id}/image-url` endpoint to only authorized users.
- Monitor OVA image downloads and access to sensitive information.
- Consider implementing additional security measures, such as encryption and access controls, to protect sensitive information in OVA images.
Evidence notes
The CVE record was published on 2026-06-10T15:16:41.567Z and modified on 2026-06-10T19:24:04.320Z. The vulnerability was reported by [email protected].
Official resources
CVE-2026-53470 was published on 2026-06-10T15:16:41.567Z.