HIGH 7.3

CVE-2026-53473: XSS Vulnerability in Red Hat migration-planner-ui

A cross-site scripting (XSS) vulnerability exists in Red Hat's migration-planner-ui-app that allows an attacker to inject malicious JavaScript code through a specially crafted discovery agent registration. When a legitimate user clicks a malicious link in the application interface, the JavaScript executes in their browser within their authenticated session. An attacker can exploit this to hijack the user's Red Hat Single Sign-On credentials and potentially access data and perform actions across multiple tenants within the affected environment.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-53473 is a reflected or stored XSS vulnerability (CWE-79) in migration-planner-ui-app's discovery agent registration mechanism. The vulnerability stems from insufficient input validation on the credentialUrl parameter when registering a malicious discovery agent. An attacker with valid login credentials can craft a URL containing JavaScript payloads. Upon clicking the link, the payload executes in the victim's browser context with the victim's authentication tokens intact. The attack vector is network-based, requires low attack complexity and user interaction, but no special privileges beyond standard login access. The vulnerability enables session hijacking and cross-tenant data exfiltration within the SSO environment.

Business impact

Exploitation enables attackers to compromise user sessions and impersonate legitimate users within the Red Hat SSO ecosystem. This creates risk of unauthorized data access across multiple organizational tenants, potential manipulation of migration planning data, and unauthorized API calls. For organizations using kubev2v migration-planner-ui for infrastructure modernization, this poses a direct threat to sensitive Kubernetes and virtualization environment details that may be collected during planning phases. Incident response and session revocation may be required if exploitation occurs.

Affected systems

The vulnerability affects kubev2v migration-planner-ui. Any deployment of this application accepting discovery agent registrations from network sources is in scope. Organizations running Red Hat migration-planner-ui with users who authenticate via Red Hat SSO are exposed, particularly those in multi-tenant environments where cross-tenant access represents elevated risk.

Exploitability

Exploitation requires that an attacker either possess valid application credentials or be able to social engineer a legitimate user into clicking a malicious link. The attack complexity is low, and no special network position or system configuration is needed. The primary friction point is the user interaction requirement—the victim must click the crafted link for the payload to execute. Public exploit code is not known to exist (not listed on CISA KEV), reducing opportunistic attack likelihood but not eliminating targeted exploitation risk.

Remediation

Apply the security patch released by Red Hat for migration-planner-ui. The patch should implement input validation and output encoding on the credentialUrl parameter to prevent JavaScript injection. Organizations unable to patch immediately should restrict access to the migration-planner-ui to trusted internal networks, disable discovery agent registration functionality if not in active use, and monitor user sessions for anomalous behavior indicative of session hijacking.

Patch guidance

Check the Red Hat Security Advisories portal for the specific errata addressing CVE-2026-53473 for kubev2v migration-planner-ui. Apply patches to all instances of the application in your environment. Verify patched versions through Red Hat's official release notes. Test patches in a non-production environment first to ensure compatibility with your SSO configuration and dependent systems. After patching, consider forcing re-authentication of all users to invalidate any potentially compromised sessions.

Detection guidance

Monitor application logs for discovery agent registrations containing unusual or encoded credentialUrl parameters—look for characters like %3C, %3E, script, onerror, or onload that indicate injection attempts. Search web application firewall (WAF) logs for requests containing JavaScript keywords in parameter values. In SSO logs, look for session tokens being used from unexpected geographic locations or with rapid API calls following clicking of links. Browser console logs on user workstations may reveal JavaScript errors if payloads were attempted. Consider deploying a WAF rule to block credentialUrl parameters containing special characters or script tags.

Why prioritize this

This vulnerability merits priority due to its CVSS 7.3 HIGH severity score, the direct threat to user session integrity, and the potential for cross-tenant data compromise in multi-tenant SSO environments. The low attack complexity and broad applicability to any user with valid credentials create a meaningful exploitation window. While not currently tracked in CISA's Known Exploited Vulnerabilities catalog, the simplicity of XSS attacks and the high-value target (SSO session tokens) suggest it will eventually attract adversary attention if left unpatched.

Risk score, explained

The CVSS 7.3 score reflects high confidentiality and integrity impact (C:H/I:H) balanced against the requirement for user interaction and low network attack complexity. No availability impact is scored because the vulnerability does not cause denial of service. The user interaction requirement (UI:R) prevents this from reaching critical severity, but the combination of session hijacking potential and cross-tenant access risk justifies the HIGH severity classification. Organizations in highly regulated industries or with sensitive Kubernetes infrastructure data should treat this as critical regardless of base score.

Frequently asked questions

Can this vulnerability be exploited without a valid user account?

The vulnerability requires an attacker to either possess valid application credentials to register a malicious discovery agent, or socially engineer a legitimate user into clicking a crafted link. It does not allow unauthenticated access to the vulnerable endpoint.

Will patching alone prevent all exploitation, or do we need other controls?

Patching addresses the root cause by validating and encoding the credentialUrl parameter. However, if any users have already had their SSO sessions compromised, patching alone will not invalidate those sessions. Organizations should consider forcing re-authentication post-patch and reviewing SSO logs for signs of unauthorized access during the vulnerability window.

How do we determine if our Red Hat SSO sessions were compromised by this vulnerability?

Review Red Hat SSO audit logs for unexpected authentication grants, unusual API calls, or tokens being used from atypical locations after the published date (2026-06-10). Check for creation or modification of discovery agents by users who did not initiate those actions. If your SSO platform logs OAuth/OIDC token issuance, look for anomalies in the IP addresses or user-agents associated with token requests.

Is there a temporary workaround if we cannot patch immediately?

Yes. Restrict network access to the migration-planner-ui to trusted internal IP ranges or require VPN access. Disable discovery agent registration if it is not actively being used for migrations. Educate users not to click links from untrusted sources, even if they appear to come from within your infrastructure. These are defensive measures but not substitutes for patching.

This analysis is provided for informational purposes to support vulnerability management decisions. The vulnerability details, CVSS score, and affected products are based on the official CVE record as of the publication date. Organizations should verify patch availability and compatibility with their specific Red Hat environment through official Red Hat Security Advisories before deploying patches. SEC.co does not provide guarantee of the accuracy or completeness of this analysis and recommends consultation with Red Hat support for environment-specific remediation guidance. No exploit code or weaponized proof-of-concept is included or referenced in this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).