Executive Summary
CVE-2026-53469 is a critical missing authorization vulnerability (CVSS 9.1) affecting migration-planner, Red Hat's infrastructure migration planning tool used for assessing workloads before migrating them to OpenShift or Kubernetes environments. The vulnerable DELETE /api/v1/sources route lacks proper authorization and ownership filtering, meaning any authenticated user can invoke it to destroy all customer data in the system — including sources, agents, and assessments — regardless of which tenant owns that data.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-53469 |
| CVSS Score | 9.1 (Critical) |
| Type | Missing Authorization (CWE-862) |
| Component | migration-planner — REST API |
| Route | DELETE /api/v1/sources |
| Authentication Required | Yes (any authenticated user) |
| Attack Vector | Network |
| Impact | Complete destruction of all sources, agents, and assessments |
| Published | 2026-06-10 |
Technical Analysis
What is migration-planner?
migration-planner is a Red Hat tool that enables infrastructure teams to assess on-premise environments before migrating workloads to OpenShift or Kubernetes. The tool deploys lightweight agents on source systems to collect inventory data and generates migration assessments. All collected data is organized into sources — logical groupings that may contain multiple agents and their associated assessments.
Root Cause
The DELETE /api/v1/sources route is implemented without any authorization or ownership filter. When a DELETE request reaches this handler, it removes all source records from the datastore — not just those owned by the requesting user — because the handler does not:
- Verify that the requesting user has permission to delete sources
- Scope the deletion to resources owned by or associated with the requesting user's tenant
- Require any resource-specific identifier (allowing a single request to target all records)
Attacker (authenticated) → DELETE /api/v1/sources
↓
Handler: No ownership check, no scope filter
↓
Database: DELETE FROM sources WHERE 1=1 (effectively)
↓
Result: All sources, agents, and assessments destroyed
Blast Radius
A single API call to the vulnerable endpoint results in the deletion of:
- All source records in the system
- All agent records linked to those sources
- All assessment records generated from agent data
This constitutes a complete wipe of all operational migration planning data for every tenant in the deployment. Recovery is dependent on backup availability.
Affected Environments
Deployments of migration-planner that:
- Expose the REST API to authenticated users
- Have not applied the vendor patch
- Run a version prior to the fix
are fully vulnerable. Any authenticated user — regardless of their intended role — can trigger this condition with a single HTTP request.
Remediation
Immediate Action
Apply the vendor patch from Red Hat immediately. The patch adds proper authorization and ownership filtering to the DELETE /api/v1/sources route so that:
- Users can only delete sources belonging to their own tenant
- A bulk delete without appropriate administrative privileges is rejected
- Each delete operation is scoped to the authenticated user's resources
Compensating Controls (Pre-Patch)
If immediate patching is not possible:
- Restrict API access — Limit access to the migration-planner REST API to trusted users only via network policy or API gateway authentication rules
- Remove DELETE permissions at the reverse proxy or load balancer level for the
/api/v1/sourcesroute until the patch is applied - Audit API access logs for unexpected DELETE requests to
/api/v1/sourcesfrom non-administrative users
Post-Patch Steps
- Verify backups — Confirm backup integrity for all source, agent, and assessment data
- Review access logs — Identify any DELETE requests to
/api/v1/sourcesprior to patching and assess whether exploitation occurred - Re-inventory affected tenants — If exploitation is confirmed, affected tenants may need to re-run agent discovery to restore migration assessment data
- Rotate credentials — If assessment data contained sensitive infrastructure details, treat it as potentially exposed
Detection
Monitor for unauthorized or unexpected DELETE requests to the sources endpoint:
# Check API access logs for DELETE requests to /api/v1/sources
grep 'DELETE /api/v1/sources' /var/log/migration-planner/access.log
# Alert on any DELETE to this endpoint from non-admin accounts
# in your SIEM or log management platformSigns of exploitation include:
- Sudden loss of all migration sources, agents, or assessments
- DELETE requests in logs not attributable to administrative operations
- Users reporting that previously collected migration data has disappeared