Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
AnalysisAI
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access.
Technical ContextAI
OpenStack Ironic is a bare-metal provisioning service that manages physical hardware through driver interfaces. The idrac driver interfaces with Dell iDRAC (Integrated Dell Remote Access Controller) for server management. The vulnerability (CWE-669: Incorrect Resource Transfer Between Spheres) exists in the molds import functionality, where the driver forwards authentication credentials to remote endpoints during hardware configuration operations. Keystone is OpenStack's identity service that issues time-limited authentication tokens providing federated access across OpenStack components (Nova, Neutron, Cinder, etc.). The affected CPE confirms this is specific to the openstack:ironic product, with the Dell and Ironic tags indicating the issue is within the Dell hardware driver implementation.
RemediationAI
Upgrade OpenStack Ironic to fixed versions: 26.1.6 (Zed branch), 29.0.5 (2023.1/Antelope), 32.0.1 (2023.2/Bobcat), or 35.0.1 (2024.1/Caracal or later). Apply the appropriate patch for your OpenStack release branch following the oss-security advisory at https://www.openwall.com/lists/oss-security/2026/05/05/10. If immediate patching is not feasible, disable the molds import functionality in idrac driver configurations as a compensating control, though this will prevent automated hardware configuration workflows and require manual provisioning processes. Alternatively, implement network-level egress filtering to restrict Ironic nodes from initiating outbound connections to untrusted endpoints, which prevents credential exfiltration but may impact legitimate driver operations requiring external connectivity. Audit Keystone token scopes assigned to Ironic service accounts and apply principle of least privilege to limit blast radius of stolen tokens. Review Ironic API access logs for suspicious molds import requests targeting external endpoints.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obt
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27428
GHSA-54w4-233h-x86g