Main Vulnerability Database Vulnerabilities #VU134855

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Ironic - CVE-2026-46447

Published: June 18, 2026

Vulnerability identifier: #VU134855

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-46447

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Openstack

Affected software:
Ironic

Detailed vulnerability description

The vulnerability allows a remote user to execute iPXE script code during node boot.

The vulnerability exists due to improper neutralization of special elements in Ironic's kernel command line override code when processing crafted values in node.driver_info or node.instance_info. A remote user can supply a crafted override value to execute iPXE script code during node boot.

Exploitation requires the ability to add or modify node.driver_info or node.instance_info.

How to mitigate CVE-2026-46447

Install security update from vendor's website.

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Ironic - CVE-2026-46447

Detailed vulnerability description

How to mitigate CVE-2026-46447

Sources

Please verify you're human