Bug 2487065 (CVE-2026-53469)
| Summary: | CVE-2026-53469 migration-planner: Unprotected DELETE Endpoint Wipes All Tenant Data | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Repository: migration-planner Priority: High Location: internal/handlers/v1alpha1/source.go:74 Description: DELETE /api/v1/sources route is wired in openapi.yaml and calls sourceSrv.DeleteSources(ctx) with no filter. The service method runs Unscoped().Exec("DELETE FROM sources") against shared Postgres. No admin gate, no org scoping, no confirmation required. Security Impact: Any authenticated user can destroy all customers' sources, agents, and assessments Single curl command causes total data loss across entire SaaS Critical availability and integrity catastrophe Fix Suggestion: Immediate: Hard-disable the handler (return 401 with explanatory message). Long-term: Either drop the route from openapi.yaml and delete SourceStore.DeleteAll, or re-implement as org-scoped bulk delete behind explicit edit permission. See patches/f004.patch.