SB2026061841 - Multiple vulnerabilities in OpenStack Ironic
Published: June 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute iPXE script code during node boot.
The vulnerability exists due to improper neutralization of special elements in Ironic's kernel command line override code when processing crafted values in node.driver_info or node.instance_info. A remote user can supply a crafted override value to execute iPXE script code during node boot.
Exploitation requires the ability to add or modify node.driver_info or node.instance_info.
2) Path traversal (CVE-ID: CVE-2026-48681)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite files on the conductor's disk or target disk.
The vulnerability exists due to path traversal in ISO handling code when processing a crafted ISO image. A remote user can deploy a node using configdrive, a virtual media-based boot interface, or the anaconda deploy interface with a malicious ISO image to overwrite files on the conductor's disk or target disk.
The issue affects both the conductor during ISO handling and the target disk during deployment through the anaconda deploy interface.
3) Improper access control (CVE-ID: CVE-2026-44917)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the pxe_template handling in Ironic boot interfaces when processing a user-supplied template path. A remote user can set node.driver_info[pxe_template] to a sensitive file path to disclose sensitive information.
The referenced file is placed into a TFTP or HTTP server for netbooting, where it can be fetched over the network from the conductor.
Remediation
Install update from vendor's website.
References
- https://security.openstack.org/ossa/OSSA-2026-017.html
- https://review.opendev.org/c/openstack/ironic/+/991387
- https://security.openstack.org/ossa/OSSA-2026-018.html
- https://bugs.launchpad.net/ironic/+bug/2148333
- https://security.openstack.org/ossa/OSSA-2026-019.html
- https://bugs.launchpad.net/ironic/+bug/2148319