Skip to main content

OpenStack Ironic CVE-2026-44916

| EUVD-2026-28531 LOW
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-05-08 mitre GHSA-979m-gf7m-rg53
Information Disclosure Ssti
3.0
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 08, 2026 - 07:30 vuln.today
CVE Published
May 08, 2026 - 06:38 nvd
LOW 3.0

DescriptionNVD

In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.

AnalysisAI

Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose sensitive information by rendering unsandboxed Jinja2 templates in the instance_info['ks_template'] parameter. The vulnerability requires high-privilege user interaction and has low confidentiality impact with no integrity or availability consequences.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Ironic administrator
Delivery
Create or modify bare-metal instance
Exploit
Inject Jinja2 SSTI payload in ks_template
Execution
Trigger template rendering during provisioning
Persist
Extract sensitive context variables
Impact
Disclose information
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated network access to OpenStack Ironic with high-privilege administrator or operator credentials that permit instance creation and modification of instance_info metadata. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the CVSS 3.0 score, real-world risk is constrained by multiple exploitation factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An OpenStack operator with administrative privileges to Ironic deliberately or accidentally creates a bare-metal instance with a malicious ks_template value containing Jinja2 expressions like '{{ config }}' or '{{ context.keys() }}'. When Ironic renders the template during provisioning, the expressions are evaluated and expose internal template context variables, allowing the operator to extract deployment metadata, configuration values, or other sensitive context information embedded in the rendering environment.
Remediation Apply the security patch available via OpenStack Ironic upstream releases following version 35.x; consult the LaunchPad bug tracker (https://bugs.launchpad.net/ironic/+bug/2148307) for exact patched version availability and timeline. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-44181 CRITICAL
Jun 03

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to

Share

CVE-2026-44916 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy