CVE-2026-53470
CRITICALMigration-planner: getsourcedownloadurl missing organization check
Title source: cnaDescription
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
References (3)
Core 3
Core References
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-53470
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2487069
https://bugzilla.redhat.com/show_bug.cgi?id=2487069
Scores
CVSS v3
9.6
EPSS
0.0028
EPSS Percentile
19.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-639
Status
published
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026