GHSA-h8rc-w822-q8vq
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible proxy-server requires low-privilege authenticated access; scope changes because object servers are caused to make requests, yielding partial confidentiality disclosure of internal infrastructure.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Server-side request forgery in OpenStack Swift's proxy-server allows authenticated users to manipulate object servers into issuing outbound HTTP requests to attacker-specified hosts. All Swift deployments running version 2.0.0 or later across all maintained release trains are affected, including the 2025.1/epoxy, 2025.2/flamingo, 2026.1/gazpacho, and development 2026.2/hibiscus branches. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated Swift user account with access to submit requests to the proxy-server API endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score or EPSS data was supplied with this advisory, so risk metrics are inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid Swift account submits a crafted API request to the proxy-server containing injected HTTP headers that specify an attacker-controlled or internal target host. The proxy-server forwards this manipulated request to an object server, which dutifully issues an outbound HTTP request to the specified destination - potentially reaching a cloud provider instance metadata service (e.g., 169.254.169.254) or an internal management API. … |
| Remediation | Upstream fixes have been submitted via OpenDev code review for all maintained branches: 2026.2/hibiscus at https://review.opendev.org/994449, 2026.1/gazpacho at https://review.opendev.org/994450, 2025.2/flamingo at https://review.opendev.org/994451, and 2025.1/epoxy at https://review.opendev.org/994452. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenStack Swift installations and document versions 2.0.0+. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing
An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubn
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close serv
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers
Isode SWIFT v4.0.2 was discovered to contain hard-coded credentials in the Registry Editor. Rated high severity (CVSS 7.
A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious
A stack overflow issue existed in Swift for Linux. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
Denial of service in OpenStack Swift's s3api middleware allows an authenticated S3 API user to permanently hang proxy-se
The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to de
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38537