Executive Summary
CVE-2026-53470 is a critical improper access control vulnerability (CVSS 9.6) affecting migration-planner, Red Hat's migration planning tool for OpenShift and Kubernetes environments. The /api/v1/sources/{id}/image-url endpoint fails to validate that the requesting user owns the source identified by {id}. This allows any authenticated user to supply an arbitrary source ID and obtain valid pre-signed S3 URLs for Open Virtual Appliance (OVA) images uploaded by other tenants — a classic Insecure Direct Object Reference (IDOR) vulnerability with high-impact data exposure consequences.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-53470 |
| CVSS Score | 9.6 (Critical) |
| Type | Improper Access Control / IDOR (CWE-284) |
| Component | migration-planner — REST API |
| Endpoint | GET /api/v1/sources/{id}/image-url |
| Authentication Required | Yes (any authenticated user) |
| Attack Vector | Network |
| Impact | Cross-tenant read access to S3 pre-signed URLs for OVA images |
| Published | 2026-06-10 |
Technical Analysis
Background: OVA Images in migration-planner
During migration assessments, migration-planner agents can upload Open Virtual Appliance (OVA) image files to Amazon S3. These OVA files may represent full virtual machine disk images, containing operating system configurations, application data, and potentially sensitive infrastructure details. The /api/v1/sources/{id}/image-url endpoint generates temporary pre-signed S3 URLs that allow direct download of these images.
Root Cause
The endpoint handler resolves the S3 pre-signed URL for a given source ID without verifying that the authenticated caller owns that source. The ownership check that should validate the relationship between the requesting user's tenant and the target source ID is absent:
Attacker (authenticated) → GET /api/v1/sources/{victim_source_id}/image-url
↓
Handler: Looks up source by ID → no ownership check
↓
S3: Generates pre-signed URL for victim's OVA image
↓
Response: Valid, time-limited download URL returned to attacker
IDOR Attack Pattern
An attacker who has a valid authenticated session can enumerate or guess source IDs for other tenants and call this endpoint to receive working S3 pre-signed URLs. Since S3 pre-signed URLs grant direct, unauthenticated download access to the associated object for their validity period, the attacker can then retrieve the victim tenant's OVA image files.
| Step | Action |
|---|---|
| 1 | Attacker authenticates to migration-planner with their own account |
| 2 | Attacker enumerates source IDs belonging to other tenants |
| 3 | Attacker calls GET /api/v1/sources/{victim_id}/image-url |
| 4 | API returns valid S3 pre-signed URL without ownership check |
| 5 | Attacker downloads victim's OVA image from S3 |
Data Exposure
OVA image files can contain sensitive information including:
- Full virtual machine disk images with operating system configurations
- Application code and configuration files
- Database files or credentials stored on disk
- SSH keys, TLS certificates, or other secrets embedded in the VM image
- Proprietary software and business logic
Affected Environments
Deployments of migration-planner that:
- Use S3-backed storage for OVA image uploads
- Are accessible to multiple users or tenants
- Have not applied the vendor patch
are vulnerable to cross-tenant image exfiltration.
Remediation
Immediate Action
Apply the vendor patch from Red Hat. The patch adds ownership validation to the /api/v1/sources/{id}/image-url endpoint, ensuring the requesting user's tenant is verified against the source owner before any S3 pre-signed URL is generated.
Compensating Controls (Pre-Patch)
- Restrict endpoint access — Block or restrict access to the
/api/v1/sources/*/image-urlroute at the API gateway or reverse proxy level to trusted administrative users only - Rotate S3 pre-signed URL expiry — Minimize the validity window for pre-signed URLs to limit exposure time if URLs have already been generated
- Enable S3 server access logging — Activate S3 access logs to detect unauthorized downloads of OVA image objects
Post-Patch Steps
- Audit S3 access logs — Review S3 server access logs for downloads of OVA objects by unexpected principals or from unexpected IP addresses
- Assess data sensitivity — Determine what data may have been contained in accessible OVA images and evaluate notification or incident response obligations
- Rotate embedded credentials — If OVA images contained secrets (SSH keys, API keys, certificates), treat them as compromised and rotate immediately
- Review source ID exposure — Understand how source IDs are assigned and whether they are predictable or enumerable
Detection
# Check API logs for /image-url requests across multiple source IDs
# from a single user account (potential enumeration)
grep 'image-url' /var/log/migration-planner/access.log | \
awk '{print $1, $7}' | sort | uniq -c | sort -rn
# Check S3 access logs for OVA downloads not associated with
# the owning tenant's expected IP ranges
aws s3api list-objects --bucket <migration-planner-bucket> --query 'Contents[].Key'Signs of exploitation include:
- Multiple
/api/v1/sources/*/image-urlrequests from a single account targeting different source IDs - S3 downloads of OVA objects from IP addresses not associated with the owning tenant