Broken Tenant Isolation in migration-planner agent-API (CVE-2026-53471)

critical-cve-against-dependency · active

A flaw in the migration-planner agent-API lets an authenticated attacker with a valid agent token act across tenant boundaries because the UpdateSourceInventory and UpdateAgentStatus handlers do not validate the JWT source_id claim against the requested source ID. This breaks tenant isolation and can allow overwriting another tenant's inventory, planting malicious credential URLs, or corrupting migration assessments.

Affected packages

• gogithub.com/kubev2v/migration-plannersee advisory

Sources

• ghsahttps://github.com/advisories/GHSA-2fqw-7c6r-2cq6
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-53471
• ghsahttps://github.com/kubev2v/migration-planner/pull/1213
• nvdhttps://access.redhat.com/security/cve/CVE-2026-53471
• nvdhttps://bugzilla.redhat.com/show_bug.cgi?id=2487070