Filtered by vendor Openstack
Subscribe
Total
275 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-44916 | 1 Openstack | 1 Ironic | 2026-06-18 | N/A | 3.0 LOW |
| In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing. | |||||
| CVE-2026-42997 | 1 Openstack | 1 Ironic | 2026-06-18 | N/A | 7.7 HIGH |
| An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1. | |||||
| CVE-2026-42510 | 1 Openstack | 1 Ironic | 2026-06-17 | N/A | 6.6 MEDIUM |
| OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface. | |||||
| CVE-2026-44919 | 1 Openstack | 1 Ironic | 2026-06-17 | N/A | 4.3 MEDIUM |
| In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL. | |||||
| CVE-2026-43003 | 1 Openstack | 1 Ironic Python Agent | 2026-06-17 | N/A | 8.0 HIGH |
| An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image. | |||||
| CVE-2026-50589 | 1 Openstack | 1 Ironic | 2026-06-17 | N/A | 5.3 MEDIUM |
| In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash. | |||||
| CVE-2026-48681 | 1 Openstack | 1 Ironic | 2026-06-17 | N/A | 5.9 MEDIUM |
| OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image. | |||||
| CVE-2026-46447 | 1 Openstack | 1 Ironic | 2026-06-17 | N/A | 5.8 MEDIUM |
| OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. | |||||
| CVE-2026-44917 | 1 Openstack | 1 Ironic | 2026-06-17 | N/A | 4.9 MEDIUM |
| OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template. | |||||
| CVE-2026-44394 | 1 Openstack | 1 Keystone | 2026-06-17 | N/A | 6.0 MEDIUM |
| An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected. | |||||
| CVE-2026-43001 | 1 Openstack | 1 Keystone | 2026-06-17 | N/A | 7.9 HIGH |
| An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credential for project A to create an EC2 credential targeting project B; a subsequent /v3/ec2tokens exchange would then issue a Keystone token scoped to project B while still carrying the original app_cred_id, enabling cross-project lateral movement within the credential owner's role footprint. | |||||
| CVE-2026-43000 | 1 Openstack | 1 Keystone | 2026-06-17 | N/A | 6.0 MEDIUM |
| An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity. | |||||
| CVE-2026-42999 | 1 Openstack | 1 Keystone | 2026-06-17 | N/A | 6.0 MEDIUM |
| An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0). | |||||
| CVE-2026-42998 | 1 Openstack | 1 Keystone | 2026-06-17 | N/A | 6.0 MEDIUM |
| An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects. | |||||
| CVE-2026-34881 | 1 Openstack | 1 Glance | 2026-06-17 | N/A | 5.0 MEDIUM |
| OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin. | |||||
| CVE-2026-33551 | 1 Openstack | 1 Keystone | 2026-06-17 | N/A | 3.5 LOW |
| An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. | |||||
| CVE-2026-28370 | 1 Openstack | 1 Vitrage | 2026-06-17 | N/A | 9.1 CRITICAL |
| In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py. | |||||
| CVE-2024-7319 | 2 Openstack, Redhat | 2 Heat, Openstack Platform | 2026-06-17 | N/A | 5.0 MEDIUM |
| An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied. | |||||
| CVE-2024-40767 | 1 Openstack | 1 Nova | 2026-06-17 | N/A | 6.5 MEDIUM |
| In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498. | |||||
| CVE-2024-32498 | 1 Openstack | 3 Cinder, Glance, Nova | 2026-06-17 | N/A | 6.5 MEDIUM |
| An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. | |||||