Skip to main content

OpenStack Ironic CVE-2026-48681

| EUVDEUVD-2026-34203 MEDIUM
Relative Path Traversal (CWE-23)
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 04, 2026 - 05:00 EUVD
CVSS changed
Jun 04, 2026 - 04:22 NVD
5.9 (MEDIUM)
Analysis Generated
Jun 03, 2026 - 18:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Arbitrary file write on OpenStack Ironic conductor nodes is achievable via path traversal in virtual media ISO handling (OSSA-2026-018). Authenticated attackers who can supply a malicious ISO image through the deploy_iso_href parameter can write files to arbitrary locations on the conductor host, constrained only by the ironic-conductor process's filesystem permissions. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV, but the vulnerability carries a CVSS 3.1 score of 6.5 and is rated Critical severity by the Ironic project.

Technical ContextAI

The vulnerability resides in the _extract_iso() function at images.py lines 830-846 within the OpenStack Ironic codebase. Ironic uses the pycdlib library to iterate ISO9660 filesystem contents via iso.walk(), which returns raw path components from Rock Ridge extensions without normalization. The extraction logic constructs output paths by joining these raw ISO-internal paths with the extract_dir destination using os.path.join() but performs no validation to ensure the resulting resolved path remains within extract_dir. Because Rock Ridge extensions permit paths containing ../ sequences and pycdlib does not strip or normalize them, a crafted ISO can embed entries that, when joined, resolve to locations outside the intended extraction directory. The root cause class aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). This code path is exercised specifically during ISO-based bare-metal provisioning workflows used with Redfish virtual media and iRMC drivers.

RemediationAI

The primary fix is to apply the upstream patch commits available via OpenDev Gerrit: review 991372 targets the Bugfix/33.0 branch and review 991369 targets the Bugfix/34.0 branch (https://review.opendev.org/c/openstack/ironic/+/991372 and https://review.opendev.org/c/openstack/ironic/+/991369). The Ironic project has stated that no additional tagged release will be cut from these bugfix branches, so operators must apply the patch directly from git. The recommended remediation approach is to validate extracted ISO paths against the intended extract_dir using os.path.realpath() prior to writing, which the bug report confirms has no identified side effects. As a compensating control where patching is not immediately possible, operators can restrict which users or service accounts have permission to set deploy_iso_href - limiting this to highly trusted operators reduces the attack surface, at the cost of restricting provisioning flexibility. End-of-life releases (Bobcat, Dalmatian) should be prioritized for upgrade to a supported release train. The Launchpad bug tracker entry is at https://bugs.launchpad.net/ironic/+bug/2148333.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-48681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy