CVE-2026-53471
CVE-2026-53471 is a critical vulnerability in migration-planner where the agent-API middleware fails to validate the source_id claim in JSON Web Tokens (JWTs) against the requested source ID. This flaw allows an authenticated attacker with a valid agent token to bypass tenant isolation, potentially overwriting inventory, planting malicious credential URLs, or corrupting migration assessments across tenants.
AI Analysis
Technical Summary
The vulnerability in migration-planner's agent-API middleware involves improper validation of the source_id claim within JWTs used for authentication. Specifically, the UpdateSourceInventory and UpdateAgentStatus handlers do not verify that the source_id claim matches the requested source ID. This oversight enables an authenticated attacker possessing a valid agent token to manipulate data belonging to other tenants, effectively breaking tenant isolation. The vulnerability is identified as CVE-2026-53471 with a CVSS 3.1 score of 9.6, indicating critical severity. The affected versions are those prior to 0.13.5. No official remediation level or patch information is provided in the vendor advisory, but a Red Hat advisory URL is referenced for further details.
Potential Impact
An attacker with valid agent credentials can exploit this vulnerability to perform unauthorized actions across different tenants. This includes overwriting victim inventory data, injecting malicious credential URLs, and corrupting migration assessments. The compromise of tenant isolation can lead to significant confidentiality and integrity breaches within affected environments.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53471 for current remediation guidance. Until an official fix is available, restrict access to agent tokens and monitor for suspicious activity related to source_id claims in JWTs. Avoid using affected versions prior to 0.13.5 if possible.
CVE-2026-53471
Description
CVE-2026-53471 is a critical vulnerability in migration-planner where the agent-API middleware fails to validate the source_id claim in JSON Web Tokens (JWTs) against the requested source ID. This flaw allows an authenticated attacker with a valid agent token to bypass tenant isolation, potentially overwriting inventory, planting malicious credential URLs, or corrupting migration assessments across tenants.
CVSS v3.1
Score 9.6critical
Affected software
pkg:github/migration-plannerAI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in migration-planner's agent-API middleware involves improper validation of the source_id claim within JWTs used for authentication. Specifically, the UpdateSourceInventory and UpdateAgentStatus handlers do not verify that the source_id claim matches the requested source ID. This oversight enables an authenticated attacker possessing a valid agent token to manipulate data belonging to other tenants, effectively breaking tenant isolation. The vulnerability is identified as CVE-2026-53471 with a CVSS 3.1 score of 9.6, indicating critical severity. The affected versions are those prior to 0.13.5. No official remediation level or patch information is provided in the vendor advisory, but a Red Hat advisory URL is referenced for further details.
Potential Impact
An attacker with valid agent credentials can exploit this vulnerability to perform unauthorized actions across different tenants. This includes overwriting victim inventory data, injecting malicious credential URLs, and corrupting migration assessments. The compromise of tenant isolation can lead to significant confidentiality and integrity breaches within affected environments.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53471 for current remediation guidance. Until an official fix is available, restrict access to agent tokens and monitor for suspicious activity related to source_id claims in JWTs. Avoid using affected versions prior to 0.13.5 if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-09T17:03:29.627Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-53471","vendor":"Red Hat"}]
Threat ID: 6a29799fc9170919df2daed8
Added to database: 6/10/2026, 2:50:07 PM
Last enriched: 6/10/2026, 3:04:09 PM
Last updated: 6/10/2026, 4:02:12 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.