cvedb.io
CVE-2026-53471
CRITICAL · CVSS 9.6
EPSS exploitation probability: 0%
Published 2026-06-10T15:16:41.703 · Last modified 2026-06-17T14:45:23.597

Summary

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

Affected products

kebev2v — migration_assessment

Does this affect you?

Add your gear to cvedb and we'll alert you only when kebev2v ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.