Skip to main content

OpenStack Ironic CVE-2026-42997

| EUVDEUVD-2026-27428 HIGH
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-05-05 mitre GHSA-54w4-233h-x86g
7.7
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Red Hat
7.7 HIGH
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 05, 2026 - 20:02 EUVD
Analysis Generated
May 05, 2026 - 19:00 vuln.today

DescriptionCVE.org

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

AnalysisAI

Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access.

Technical ContextAI

OpenStack Ironic is a bare-metal provisioning service that manages physical hardware through driver interfaces. The idrac driver interfaces with Dell iDRAC (Integrated Dell Remote Access Controller) for server management. The vulnerability (CWE-669: Incorrect Resource Transfer Between Spheres) exists in the molds import functionality, where the driver forwards authentication credentials to remote endpoints during hardware configuration operations. Keystone is OpenStack's identity service that issues time-limited authentication tokens providing federated access across OpenStack components (Nova, Neutron, Cinder, etc.). The affected CPE confirms this is specific to the openstack:ironic product, with the Dell and Ironic tags indicating the issue is within the Dell hardware driver implementation.

RemediationAI

Upgrade OpenStack Ironic to fixed versions: 26.1.6 (Zed branch), 29.0.5 (2023.1/Antelope), 32.0.1 (2023.2/Bobcat), or 35.0.1 (2024.1/Caracal or later). Apply the appropriate patch for your OpenStack release branch following the oss-security advisory at https://www.openwall.com/lists/oss-security/2026/05/05/10. If immediate patching is not feasible, disable the molds import functionality in idrac driver configurations as a compensating control, though this will prevent automated hardware configuration workflows and require manual provisioning processes. Alternatively, implement network-level egress filtering to restrict Ironic nodes from initiating outbound connections to untrusted endpoints, which prevents credential exfiltration but may impact legitimate driver operations requiring external connectivity. Audit Keystone token scopes assigned to Ironic service accounts and apply principle of least privilege to limit blast radius of stolen tokens. Review Ironic API access logs for suspicious molds import requests targeting external endpoints.

Vendor StatusVendor

Share

CVE-2026-42997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy