GHSA-3g4p-c74p-mh7x
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid Ironic API credential at the operator privilege level sufficient to create or modify bare metal nodes with custom pxe_template parameters. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector has been published for this CVE, which prevents definitive scoring of attack vector, complexity, or privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Ironic operator submits a node or template provisioning request containing a crafted pxe_template value that includes a path traversal sequence or template directive referencing a sensitive file on the conductor host, such as /etc/ironic/ironic.conf or SSH private keys in the conductor's home directory. The conductor processes the template and the extracted file contents are returned to the attacker via the API or rendered into accessible provisioning artifacts. … |
| Remediation | The primary fix is to apply the upstream Gerrit patches: review.opendev.org/c/openstack/ironic/+/991373 for the bugfix/33.0 line and review.opendev.org/c/openstack/ironic/+/991370 for the bugfix/34.0 line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34202