Bug 2487232 (CVE-2026-53475)

Summary: CVE-2026-53475 assisted-migration-agent: TLS Verification Disabled on All vCenter Connections
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 18:34:52 UTC
Repository: assisted-migration-agent  
Priority: High  
Location: pkg/vmware/auth.go:78 (and 4+ other sites)

Description:  
Every code path that connects to vCenter hardcodes insecure=true: soap.NewClient(u, true) in auth.go:78, vmware.NewVsphereClient(ctx, creds, true) in inspector.go:97 and forecaster.go:114/194, and cfg.Insecure = true in rightsizing.go:258. There is no configuration option to provide a CA bundle or enable verification.

Security Impact:  

govmomi's Login() sends vCenter credentials over these connections

Any MITM attacker (ARP spoofing, rogue DHCP, compromised switch) can harvest vCenter administrator credentials

Can be chained with migration-planner f003 for cross-tenant credential theft

Fix Suggestion:  

Extend models.Credentials with CACert []byte and Insecure bool (default false)

Create pkg/vmware.NewSoapClient() helper that loads CA into TLSClientConfig.RootCAs

Replace all five literal-true sites with the helper

Add CA-upload field to UI
See patches/f002.note.md for architectural details.