Improper Access Control in Migration Planner Allows OVA Image Download

Executive Summary

CVE-2026-53470 is a security flaw in the migration-planner project where an authenticated attacker can exploit improper access control in the /api/v1/sources/{id}/image-url endpoint.

This vulnerability allows the attacker to bypass ownership checks and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images that belong to other users.

These OVA images contain sensitive information such as long-lived agent JSON Web Tokens (JWTs), proxy configurations, network settings, SSH keys, and certificates.

By exploiting this flaw, an attacker can download these OVA images, potentially leading to unauthorized access and modification of the victim's source.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive data embedded within OVA images, such as long-lived agent JWT tokens and source configurations.

Attackers can use this information to gain write access to the victim's source, potentially modifying or controlling the victim's migration-planner resources.

Additionally, disclosure of proxy or network configurations and SSH keys can lead to further compromise of the victim's environment.

The vulnerability also increases risk due to insufficient UUIDv4 entropy, which can expose UUIDs in shared assessments or support tickets, aiding attackers.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing access to the /api/v1/sources/{id}/image-url endpoint for improper authorization.

Specifically, attempts to access presigned S3 URLs for OVA images belonging to other users without proper ownership verification indicate the presence of the vulnerability.

You can test this by authenticating as a user and trying to access OVA images of other users via the endpoint. If the server returns presigned URLs without verifying ownership, the vulnerability exists.

Commands or methods to detect this include using curl or similar HTTP clients to send authenticated GET requests to the endpoint with different source IDs and observing if unauthorized access is granted.

• curl -H "Authorization: Bearer <token>" https://<migration-planner-host>/api/v1/sources/<other-user-source-id>/image-url

If the response includes a presigned S3 URL for a source not owned by the authenticated user, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the patch that enforces ownership verification on the /api/v1/sources/{id}/image-url endpoint.

The fix ensures that the authenticated user's username and organization match the source's owner before granting access, returning a 404 error if they do not match to prevent information leakage.

Until the patch is applied, restrict access to the vulnerable endpoint to trusted users only and monitor access logs for suspicious activity.

Long-term recommendations include wrapping the SourceService in an authorization decorator to enforce consistent access control.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated attacker to bypass ownership checks and obtain presigned S3 URLs for OVA images containing sensitive information such as long-lived agent JWTs, proxy configurations, network settings, SSH keys, and certificates.

The exposure of such sensitive data could lead to unauthorized access and modification of victim sources, potentially resulting in data breaches involving personal or confidential information.

Such unauthorized disclosure and access to sensitive data may violate compliance requirements under regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

Therefore, this vulnerability poses a risk to compliance by enabling unauthorized data access and potential data breaches.

Useful 0 Not Useful 0