PatchSiren cyber security CVE debrief
CVE-2026-53471 Red Hat CVE debrief
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.
- Vendor
- Red Hat
- Product
- migration-planner
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of migration-planner, especially those with multi-tenant environments, should be aware of this critical vulnerability.
Technical summary
The vulnerability has a CVSS score of 9.6 and is classified as CRITICAL. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. The weakness is categorized as CWE-639.
Defensive priority
high
Recommended defensive actions
- Apply patches or updates provided by the vendor as soon as possible.
- Review and update authentication and authorization mechanisms to ensure proper tenant isolation.
- Monitor for suspicious activity and implement additional security measures to prevent exploitation.
Evidence notes
The vendor is listed as Unknown Vendor, but evidence suggests a connection to Redhat.
Official resources
CVE-2026-53471 was published on 2026-06-10T15:16:41.703Z and modified on 2026-06-10T19:24:04.320Z.