CVE-2026-53469 PUBLISHED

Migration-planner: unprotected delete endpoint wipes all tenant data

Assigner: redhat
Reserved: 09.06.2026 Published: 10.06.2026 Updated: 10.06.2026

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://github.com/kubev2v/migration-planner
Package Name	migration-planner
Versions	Default: unaffected affected from 0 to 0.13.5 (excl.)

References

Problem Types

Missing Authentication for Critical Function CWE