Bug 2487232 (CVE-2026-53475) - CVE-2026-53475 assisted-migration-agent: TLS Verification Disabled on All vCenter Connections
Summary: CVE-2026-53475 assisted-migration-agent: TLS Verification Disabled on All vCe...
Keywords:
Status: NEW
Alias: CVE-2026-53475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 18:34 UTC by OSIDB Bzimport
Modified: 2026-06-10 13:52 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 18:34:52 UTC
Repository: assisted-migration-agent  
Priority: High  
Location: pkg/vmware/auth.go:78 (and 4+ other sites)

Description:  
Every code path that connects to vCenter hardcodes insecure=true: soap.NewClient(u, true) in auth.go:78, vmware.NewVsphereClient(ctx, creds, true) in inspector.go:97 and forecaster.go:114/194, and cfg.Insecure = true in rightsizing.go:258. There is no configuration option to provide a CA bundle or enable verification.

Security Impact:  

govmomi's Login() sends vCenter credentials over these connections

Any MITM attacker (ARP spoofing, rogue DHCP, compromised switch) can harvest vCenter administrator credentials

Can be chained with migration-planner f003 for cross-tenant credential theft

Fix Suggestion:  

Extend models.Credentials with CACert []byte and Insecure bool (default false)

Create pkg/vmware.NewSoapClient() helper that loads CA into TLSClientConfig.RootCAs

Replace all five literal-true sites with the helper

Add CA-upload field to UI
See patches/f002.note.md for architectural details.


Note You need to log in before you can comment on or make changes to this bug.