How is CVE-2026-53474 exploited?

Network reachability (required): The attacker must reach the migration-planner service over the network to submit the malicious file upload. Authentication (required): A valid account is needed, but any low-privilege account is sufficient; no administrative rights are required. Victim interaction (not-required): No user interaction is needed after the file is uploaded; the SQL payload executes when the application processes the cluster name field. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or specific memory layout dependencies are required.

What is the impact of CVE-2026-53474?

Reads arbitrary files on the host system, including Kubernetes service account tokens and other credential files stored on disk. Exposes any secrets or configuration files accessible to the migration-planner process, including database credentials and API keys. Harvested credentials can be used to pivot into the broader Kubernetes cluster or SaaS infrastructure, enabling a full environment compromise.

Back to search

CRITICALCVE-2026-53474Published 2026-06-10Modified 2026-06-10CNA redhat

CVE-2026-53474: Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 0.13.5
Affected Products: 1

HarborGuard Analysis

Synopsis

A second-order SQL injection vulnerability affects migration-planner versions before 0.13.5. A remote attacker with a low-privilege account can upload a specially crafted RVTools .xlsx file; malicious SQL embedded in spreadsheet cells is executed when the application processes cluster names, requiring no further victim interaction. Successful exploitation gives the attacker arbitrary file read access on the host, exposing Kubernetes service account tokens and other credentials, which can lead to full SaaS environment compromise. A patched-image rebuild at version 0.13.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Red Hat advisory, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that package migration-planner as a base or dependency.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.6 (Critical) and applying per-environment compliance policy weighting to adjust priority before routing the alert to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at migration-planner 0.13.5 becomes available through HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the migration-planner service over the network to submit the malicious file upload.
AuthenticationRequired
A valid account is needed, but any low-privilege account is sufficient; no administrative rights are required.
Victim interactionNot required
No user interaction is needed after the file is uploaded; the SQL payload executes when the application processes the cluster name field.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or specific memory layout dependencies are required.

Blast Radius

Reads arbitrary files on the host system, including Kubernetes service account tokens and other credential files stored on disk.
Exposes any secrets or configuration files accessible to the migration-planner process, including database credentials and API keys.
Harvested credentials can be used to pivot into the broader Kubernetes cluster or SaaS infrastructure, enabling a full environment compromise.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53474 is active across all connected registries and pipelines, matching any image that bundles migration-planner below version 0.13.5. A patched-image rebuild at 0.13.5 is made available as soon as the affected image is identified. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, runs a regression test run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the configured team inbox with full CVSS context and a direct reference to the fix version. Given the severity (arbitrary file read leading to credential exposure and potential cluster compromise), prioritizing this rebuild ahead of the next scheduled maintenance window is strongly advisable.

See how HarborGuard automates this

Fix available

0.13.5

Affected packages

unknown
< 0.13.5 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available