CVE-2026-53470

HIGH EPSS 19.7%
Published Jun 10, 20262w ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Jun 10, 2026 2w ago
Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
19.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-639

Affected Products 1

VendorProductVersionRange
kebev2vmigration_assessment* <0.13.5

References 3

  • access.redhat.com https://access.redhat.com/security/cve/CVE-2026-53470
    Third Party Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2487069
    Issue TrackingThird Party Advisory
  • github.com https://github.com/kubev2v/migration-planner/pull/1218
    Patch

Remediation

  • github.com https://github.com/kubev2v/migration-planner/pull/1218
    Patch