HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53471Published Modified CNA redhat

CVE-2026-53471: Migration-planner: agent api ignores jwt source_id claim

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
0.13.5
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass in JWT claim validation affects migration-planner, a tool used to plan and assess virtual-machine migrations. An attacker who holds any valid agent token can reach the affected API handlers over the network without needing elevated privileges and supply an arbitrary source_id to target other tenants. Successful exploitation allows the attacker to overwrite victim tenant inventory, plant malicious credential URLs, or corrupt migration assessments across tenant boundaries. A patched-image rebuild at version 0.13.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53471 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including the Red Hat CNA advisory within minutes of publication and matched against customer images, including custom-built images that bundle migration-planner. Any image carrying a migration-planner version below 0.13.5 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) using the upstream v3.1 vector and weights the finding against each environment's compliance policy to determine priority and routing. The resulting alert is directed to the team inbox configured for the affected workload within each customer organization.

Available
Patch

A patched-image rebuild at migration-planner 0.13.5 becomes available on HarborGuard once an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API handlers are exposed over the network, so the attacker must be able to reach the migration-planner agent API endpoint remotely.

  • AuthenticationRequired

    Any low-privilege account holding a valid agent JWT is sufficient; no admin or elevated privileges are needed beyond that initial token.

  • Victim interactionNot required

    The attacker sends crafted API requests directly; no victim user action or interaction is needed.

  • Attack complexityDetail

    The exploit is reliable and condition-free; the attacker simply supplies an arbitrary source_id in their request with no race conditions or environmental factors required.

Blast Radius

  • Attacker overwrites the inventory data of any target tenant, replacing legitimate VM and infrastructure records with attacker-controlled content.
  • Attacker plants malicious credential URLs in victim tenant inventory, which can redirect migration tooling or agents to attacker-controlled endpoints.
  • Attacker corrupts migration assessments for victim tenants, causing incorrect or misleading planning outcomes for those organizations.
  • Full collapse of tenant isolation means every tenant managed by the same migration-planner deployment is reachable as a target, not just the attacker's own tenant.

How HarborGuard Handles This

Available on HarborGuard: images containing migration-planner below 0.13.5 are flagged as critical the moment the CVE feed is ingested. Where compliance policy permits, a rebuilt image at version 0.13.5 is prepared automatically. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run against the patched image, and opens a pull request against any affected workload manifests; the median time from publication to merged PR for critical-severity findings is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can use the HarborGuard findings dashboard to identify every affected image and registry location and act on the 0.13.5 rebuild directly. Until a patch is applied, network-policy controls that restrict access to the migration-planner agent API to known, trusted agent identities reduce the window of exposure for this tenant-isolation bypass.

See how HarborGuard automates this

Fix available

0.13.5
Affected packages
  • unknown
    < 0.13.5 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References