Bug 2487069 (CVE-2026-53470)

Summary: CVE-2026-53470 migration-planner: GetSourceDownloadURL Missing Organization Check
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 17:47:21 UTC
Repository: migration-planner  
Priority: High  
Location: internal/handlers/v1alpha1/source.go:236

Description:  
GET /api/v1/sources/{id}/image-url returns presigned S3 URLs for OVA appliances. Unlike sibling endpoints (GetSource/UpdateSource/DeleteSource), this handler skips the user.Organization == source.OrgID ownership check and proceeds directly to URL generation. Any bearer token plus victim's source UUID yields a download link.

Security Impact:  

OVA embeds victim's long-lived agent JWT and source configuration

Attacker gains credential to write to victim's source (when combined with f002)

Discloses proxy/network configuration

UUIDv4 entropy is insufficient when UUIDs appear in shared assessments, support tickets, browser history

Fix Suggestion:  
Fetch the source first, compare user.Username/user.Organization against source.Username/source.OrgID, and return 404 on mismatch (not 403 to avoid existence oracle). Long-term: wrap SourceService in an Authz decorator. See patches/f003.patch.