Improper Access Control in migration-planner Exposes Other Users' OVA Images via Presigned S3 URLs (CVE-2026-53470)

critical-cve-against-dependency · active

A flaw in migration-planner lets an authenticated attacker bypass an ownership check on the `/api/v1/sources/{id}/image-url` endpoint to obtain presigned S3 URLs for other users' OVA images. Those images can contain sensitive data such as long-lived agent JWTs and source configurations, potentially enabling unauthorized access to and modification of a victim's source.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-v5m8-5455-qw2x
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-53470
• ghsahttps://github.com/kubev2v/migration-planner/pull/1218
• nvdhttps://access.redhat.com/security/cve/CVE-2026-53470
• nvdhttps://bugzilla.redhat.com/show_bug.cgi?id=2487069