2487065 – (CVE-2026-53469) CVE-2026-53469 migration-planner: Unprotected DELETE Endpoint Wipes All Tenant Data

Bug 2487065 (CVE-2026-53469) - CVE-2026-53469 migration-planner: Unprotected DELETE Endpoint Wipes All Tenant Data

Summary: CVE-2026-53469 migration-planner: Unprotected DELETE Endpoint Wipes All Tenan...

Keywords:
Status:	NEW
Alias:	CVE-2026-53469
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-09 17:20 UTC by OSIDB Bzimport
Modified:	2026-06-10 13:53 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-09 17:20:18 UTC

Repository: migration-planner  
Priority: High  
Location: internal/handlers/v1alpha1/source.go:74

Description:  
DELETE /api/v1/sources route is wired in openapi.yaml and calls sourceSrv.DeleteSources(ctx) with no filter. The service method runs Unscoped().Exec("DELETE FROM sources") against shared Postgres. No admin gate, no org scoping, no confirmation required.

Security Impact:  

Any authenticated user can destroy all customers' sources, agents, and assessments

Single curl command causes total data loss across entire SaaS

Critical availability and integrity catastrophe

Fix Suggestion:  
Immediate: Hard-disable the handler (return 401 with explanatory message). Long-term: Either drop the route from openapi.yaml and delete SourceStore.DeleteAll, or re-implement as org-scoped bulk delete behind explicit edit permission. See patches/f004.patch.

Note You need to log in before you can comment on or make changes to this bug.