How is CVE-2026-53470 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the migration-planner API service remotely. Authentication (required): Any low-privilege account on the platform is sufficient; the attacker does not need admin rights, but must hold valid credentials. Victim interaction (not-required): The attacker calls the API directly and does not need any action from the targeted user. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions or special environmental factors are required to trigger the ownership check bypass.

What is the impact of CVE-2026-53470?

The attacker downloads OVA images belonging to other users, which contain long-lived agent JWTs that remain valid after exfiltration. Extracted JWTs grant the attacker authenticated access to the victim's migration source, enabling unauthorized reads of source configurations including host credentials and network topology. Using the stolen credentials, the attacker modifies the victim's migration source settings, which can redirect or corrupt an in-progress workload migration.

Back to search

CRITICALCVE-2026-53470Published 2026-06-10Modified 2026-06-10CNA redhat

CVE-2026-53470: Migration-planner: getsourcedownloadurl missing organization check

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 0.13.5
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper access control vulnerability in migration-planner allows an authenticated attacker to bypass an ownership check on the `/api/v1/sources/{id}/image-url` endpoint. The flaw is reachable over the network and requires only a low-privilege account; no additional user interaction is needed. Successful exploitation lets the attacker retrieve presigned S3 URLs for OVA images belonging to other users, download those images, extract long-lived JWTs and source configurations, and use those credentials to access and modify the victim's migration sources. A patched-image rebuild at version 0.13.5 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-53470 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Red Hat advisories) within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from migration-planner base layers.

Available

Triage

HarborGuard scores this CVE at 9.6 CRITICAL using the CVSS v3.1 vector and weights findings against each customer's per-environment compliance policy to determine urgency and routing. Triage results are delivered to the team inbox or ticketing integration configured inside each customer organization.

Available

Patch

A patched-image rebuild at migration-planner 0.13.5 becomes available on HarborGuard as soon as the fix version is confirmed against a customer's affected image manifest. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the migration-planner API service remotely.
AuthenticationRequired
Any low-privilege account on the platform is sufficient; the attacker does not need admin rights, but must hold valid credentials.
Victim interactionNot required
The attacker calls the API directly and does not need any action from the targeted user.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or special environmental factors are required to trigger the ownership check bypass.

Blast Radius

The attacker downloads OVA images belonging to other users, which contain long-lived agent JWTs that remain valid after exfiltration.
Extracted JWTs grant the attacker authenticated access to the victim's migration source, enabling unauthorized reads of source configurations including host credentials and network topology.
Using the stolen credentials, the attacker modifies the victim's migration source settings, which can redirect or corrupt an in-progress workload migration.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53470 is active across connected registries and pipelines, covering any image built on an affected migration-planner version below 0.13.5. Where compliance policy permits, a patched rebuild at 0.13.5 is made available automatically; for customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for CRITICAL-severity issues. Customers who prefer manual remediation can act on the HarborGuard finding directly. Because this vulnerability exposes long-lived JWTs, teams should treat any migration-planner deployment running below 0.13.5 as potentially compromised and rotate agent tokens after patching, regardless of whether exploitation has been confirmed.

See how HarborGuard automates this

Fix available

0.13.5

Affected packages

unknown
< 0.13.5 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available