Skip to main content

OpenStack Ironic CVE-2026-44918

| EUVDEUVD-2026-42777 MEDIUM
Missing Authorization (CWE-862)
5.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Network API access with existing low-privileged credentials; high confidentiality impact due to iSCSI credential exposure in affected configurations; limited integrity impact on Port/Portgroup objects; no availability impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 05:01 EUVD
CVSS changed
Jul 10, 2026 - 04:22 NVD
5.5 (MEDIUM)
Analysis Generated
Jul 08, 2026 - 16:50 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Insufficient access controls in OpenStack Ironic's parent/child node hierarchy allow authenticated users to access or manipulate resources belonging to nodes outside their authorization scope. Affected objects include Volume Targets and Volume Connectors - which carry iSCSI storage credentials in boot-from-volume deployments - as well as Port and Portgroup objects (hardened as defense-in-depth in the same patch set). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Ironic API as low-privileged project user
Delivery
Identify target node in parent/child relationship
Exploit
Send unauthorized API request for Volume Target or Connector
Execution
Retrieve iSCSI storage credentials
Impact
Access shared SAN storage or pivot to additional bare-metal hosts

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Ironic API session with at least read-level access to one node within the deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided in the input data, so severity must be inferred from the vulnerability description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged Ironic API user - such as a project operator in a multi-tenant bare-metal cloud - crafts API requests targeting Volume Targets or Volume Connectors associated with a node they do not own, exploiting the absent parent/child boundary check to retrieve iSCSI initiator or target credentials. With those credentials, the attacker gains unauthorized access to shared SAN storage, potentially exposing data from other tenants' bare-metal workloads. …
Remediation Apply the upstream patches corresponding to the deployed Ironic branch via the Gerrit review links in the advisory: 996478 (epoxy), 996476 (flamingo), 996469 (gazpacho), 996462 (hibiscus), 996474 (Bugfix/33.0), 996471 (Bugfix/34.0), 996464 (Bugfix/37.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit Ironic API audit logs for suspicious cross-node access patterns to Volume Targets, Volume Connectors, Port, and Portgroup objects; identify users with excessive resource permissions; initiate immediate rotation of iSCSI credentials. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy