CVE-2026-53470EPSS p19.6%

CVE-2026-53470CVE-2026-53470

Description

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

Scoring

CVSS 9.6 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS0.28% probability of exploitation · percentile 19.6% · 2026-06-19T12:03:05Z
Last modified2026-06-10

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-53471
CVE
CVE-2026-53469
CVE
CVE-2026-53476
CVE
CVE-2026-53474
CVE
CVE-2026-53473
CVE
CVE-2026-22908
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.