Skip to main content

Glance EUVDEUVD-2026-17323

| CVE-2026-34881 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-31 mitre
5.0
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Red Hat
5.0 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 06:00 euvd
EUVD-2026-17323
Analysis Generated
Mar 31, 2026 - 06:00 vuln.today
CVE Published
Mar 31, 2026 - 05:29 nvd
MEDIUM 5.0

DescriptionCVE.org

OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.

AnalysisAI

Server-Side Request Forgery in OpenStack Glance image import allows authenticated users to bypass URL validation via HTTP redirects and reach internal services. Affected versions include Glance prior to 29.1.1, 30.0.0 through 30.1.0, and 31.0.0. The vulnerability impacts web-download and glance-download import methods, plus the optional ovf_process plugin. An authenticated attacker can craft a redirect chain to access restricted internal endpoints, though the CVSS vector indicates no confidentiality impact and limited integrity risk (CVSS 5.0). No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in OpenStack Glance's image import functionality, which processes external image sources via HTTP. The root cause is improper validation of HTTP redirect targets (CWE-918: Server-Side Request Forgery). Glance's URL validation logic fails to account for HTTP 3xx redirects, allowing attackers to specify an external URL that redirects to internal services (localhost, private IP ranges, internal hostnames). The affected import methods (web-download, glance-download, and the optional ovf_process plugin) all use HTTP client libraries that follow redirects by default, inherently trusting the destination after the redirect. This bypasses any initial URL allowlist or validation checks performed on the user-supplied URL. The vulnerability requires prior authentication, limiting attack scope to users with glance image import privileges, which explains the PR:L (Privilege Required: Low) designation in the CVSS vector.

RemediationAI

Upgrade OpenStack Glance to version 29.1.1 or later (for stable/29.x branch), version 30.1.1 or later (for stable/30.x branch), or version 31.1.0 or later (for stable/31.x branch). These releases include URL validation fixes that reject or validate redirect targets. If immediate upgrade is not feasible, disable the optional ovf_process import plugin if it is not required for operations, and restrict glance image import functionality to trusted administrator users only via role-based access control. Review and restrict network egress rules from Glance services to internal IP ranges and localhost to limit the scope of internal services reachable via redirects. Consult OpenStack security advisory OSSA-2026-004 and the Launchpad bug report for environment-specific mitigation and testing guidance before deployment.

More in Glance

View all
CVE-2022-31546 CRITICAL POC
9.3 Jul 11

The nlpweb/glance repository through 2014-06-27 on GitHub allows absolute path traversal because the Flask send_file fun

CVE-2015-5162 HIGH POC
7.5 Oct 07

The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.

CVE-2018-3715 MEDIUM POC
6.5 Jun 07

glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to

CVE-2018-3748 MEDIUM POC
6.1 Jul 03

There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. Rated medium severity (CVSS 6.1), this

CVE-2022-24696 HIGH
7.8 Mar 13

Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges. Rated high

CVE-2013-4428 LOW POC
3.5 Oct 27

OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when t

CVE-2024-32498 MEDIUM
6.5 Jul 05

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Rated medium s

CVE-2017-7200 MEDIUM
5.8 Mar 21

An SSRF issue was discovered in OpenStack Glance before Newton. Rated medium severity (CVSS 5.8), this vulnerability is

CVE-2015-8234 MEDIUM
5.5 Mar 29

The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification pr

CVE-2015-3289 MEDIUM
4.0 Aug 14

OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption

CVE-2013-1840 LOW
3.5 Mar 22

The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 st

CVE-2015-5163 LOW
3.5 Aug 19

The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allow

Vendor StatusVendor

Debian

Bug #1131274
glance
Release Status Fixed Version Urgency
bullseye vulnerable 2:21.0.0-2+deb11u1 -
bullseye (security) vulnerable 2:21.1.0-1+deb11u2 -
bookworm, bookworm (security) vulnerable 2:25.1.0-2+deb12u1 -
trixie vulnerable 2:30.0.0-3 -
forky, sid fixed 2:32.0.0~rc2-2 -
(unstable) fixed 2:31.0.0-3 -

Share

EUVD-2026-17323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy