CVE-2026-53474
Received Received - Intake
SQL Injection in Migration-Planner via Malicious RVTools XLSX File

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-53474
EUVD
EUVD-2026-36030
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
redhat migration-planner *
redhat migration_planner to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53474 is a second-order SQL injection vulnerability in the migration-planner project. It occurs when a remote authenticated attacker uploads a specially crafted RVTools .xlsx spreadsheet. The cluster names extracted from this spreadsheet are used in about 27 DuckDB query templates without proper escaping, allowing malicious SQL code embedded in the spreadsheet cells to be executed.

This improper input sanitization enables the attacker to break out of SQL strings and execute arbitrary SQL commands, such as reading files on the system using DuckDB functions like read_text().

Impact Analysis

The vulnerability can lead to severe security impacts including arbitrary file reading on the system where migration-planner runs. Attackers can potentially access sensitive information such as Kubernetes service account tokens, Postgres credentials, and agent-JWT signing keys.

Because the DuckDB worker runs in-process within the planner-api pod without sandboxing, a malicious spreadsheet upload by a single tenant could escalate to a full compromise of the SaaS environment.

Detection Guidance

Detection of this vulnerability involves identifying if malicious SQL payloads embedded in RVTools .xlsx files are being processed by the migration-planner component. Specifically, monitoring for unusual or suspicious SQL queries executed by DuckDB within the planner-api pod can indicate exploitation attempts.

One approach is to inspect logs of the planner-api pod for queries containing suspicious patterns such as SQL injection payloads, for example, queries including functions like read_text() or read_blob() accessing sensitive file paths.

Commands to help detect exploitation attempts might include:

  • Checking logs for suspicious SQL queries: `kubectl logs <planner-api-pod> | grep -E "read_text|read_blob|UNION SELECT"`
  • Monitoring file access attempts to sensitive files such as Kubernetes service account tokens: `kubectl exec <planner-api-pod> -- cat /var/run/secrets/kubernetes.io/serviceaccount/token` (to verify if the file is accessed unexpectedly)
  • Using network monitoring tools to detect unusual data exfiltration from the planner-api pod.

Additionally, reviewing uploaded RVTools .xlsx files for embedded SQL injection payloads before processing can help detect attempts to exploit this vulnerability.

Mitigation Strategies

Immediate mitigation involves applying the patch that escapes SQL string fields in user-controlled query parameters before executing DuckDB queries. This prevents SQL injection by sanitizing inputs such as ClusterFilter, OSFilter, PowerStateFilter, VmIDFilter, and Category.

Specifically, the fix uses the escapeSQLString() function to sanitize all string inputs in the 27 affected query templates, effectively blocking single-quote breakouts and arbitrary SQL execution.

If patching is not immediately possible, consider restricting or disabling the upload of RVTools .xlsx files until the fix can be applied, to prevent attackers from exploiting the vulnerability.

Long-term mitigation includes replacing the use of text/template with DuckDB prepared statements to avoid SQL injection risks entirely.

Compliance Impact

This vulnerability allows an attacker to read arbitrary files on the system, potentially exposing sensitive information such as Kubernetes service account tokens, Postgres credentials, and agent-JWT signing keys.

Exposure of such sensitive data could lead to a full compromise of the SaaS environment, which may result in unauthorized access to personal or protected data.

Such unauthorized data exposure and potential compromise can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive and personal data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart