Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Ironic API is network-accessible; PR:H because operator privileges are required; S:C because iSCSI credential leakage impacts storage systems outside Ironic; I:N and A:N because only information disclosure occurs.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
AnalysisAI
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Ironic operator- or admin-level session with sufficient RBAC permissions to issue PATCH requests against volume connector or volume target resources on at least one node (PR:H per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.8 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N is well-calibrated: the network attack vector and low complexity reflect straightforward API exploitation, but PR:H meaningfully constrains the threat surface to already-privileged Ironic operators or administrators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An Ironic operator-level user with legitimate API credentials issues a PATCH request to update a non-sensitive authorized field (such as a volume connector property) on a node that has iSCSI volume targets configured with CHAP authentication. The Ironic API processes the update and returns the full updated resource representation, including unredacted iSCSI CHAP username and secret. … |
| Remediation | Upgrade OpenStack Ironic to a version beyond 35.0.1 once a patched release is published; monitor the Launchpad bug report at https://bugs.launchpad.net/ironic/+bug/2155049 for fix confirmation and exact patched version, as no specific fixed release was confirmed in the available input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #1140012| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1:16.0.3-1 | - |
| bookworm | vulnerable | 1:21.1.0-3 | - |
| bookworm (security) | vulnerable | 1:21.4.4-0+deb12u1 | - |
| trixie | vulnerable | 1:29.0.0-7 | - |
| trixie (security) | vulnerable | 1:29.0.5-0+deb13u2 | - |
| forky, sid | vulnerable | 1:35.0.1-5 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36658
GHSA-j4cw-mcg2-2q78