CVE Catalog

CVE-2026-53471

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

A flaw exists in the migration-planner where the agent-API middleware fails to properly validate the source_id claim in JWTs. This allows an authenticated attacker to manipulate data across different tenants, leading to a complete collapse of tenant isolation.

Risk Assessment

An attacker could unauthorizedly overwrite victim data, plant malicious credential URLs, or corrupt migration assessments, posing a serious threat to data security within the organization.

Recommendation

It is recommended to implement proper validation of the source_id claim in the UpdateSourceInventory and UpdateAgentStatus handlers to ensure proper tenant isolation.

Original NVD description (English source)

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS