Missing Authorization in migration-planner Allows Authenticated User to Delete All Customer Data (CVE-2026-53469)

critical-cve-against-dependency · active

A broken authorization flaw in migration-planner lets any authenticated user delete all customer data by sending a DELETE request to the /api/v1/sources endpoint. Because the route lacks proper authorization and filtering, exploitation can wipe sources, agents, and assessments across the entire SaaS platform.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-6xvf-9742-48w2
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-53469
• ghsahttps://github.com/kubev2v/migration-planner/pull/1227
• nvdhttps://access.redhat.com/security/cve/CVE-2026-53469
• nvdhttps://bugzilla.redhat.com/show_bug.cgi?id=2487065