CVE-2026-53471
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A flaw exists in the migration-planner where the agent-API middleware fails to properly validate the source_id claim in JWTs. This allows an authenticated attacker to manipulate data across different tenants, leading to a complete collapse of tenant isolation.
Risk Assessment
An attacker could unauthorizedly overwrite victim data, plant malicious credential URLs, or corrupt migration assessments, posing a serious threat to data security within the organization.
Recommendation
It is recommended to implement proper validation of the source_id claim in the UpdateSourceInventory and UpdateAgentStatus handlers to ensure proper tenant isolation.
Original NVD description (English source)
A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

