Skip to main content

OpenStack Ironic EUVDEUVD-2026-25982

| CVE-2026-42510 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-04-28 mitre
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.6 MEDIUM

API-reachable so AV:N; requires non-default console interface configuration raising AC:H; needs high-privilege operator credentials so PR:H; ipmitool execution yields full CIA impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
6.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 18, 2026 - 03:52 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:51 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 03:38 NVD
MEDIUM HIGH
CVSS changed
Jun 18, 2026 - 03:38 NVD
6.6 (MEDIUM) 7.2 (HIGH)
Analysis Generated
Apr 28, 2026 - 06:01 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 05:30 euvd
EUVD-2026-25982
Analysis Generated
Apr 28, 2026 - 05:30 vuln.today
CVE Published
Apr 28, 2026 - 04:53 nvd
MEDIUM 6.6

DescriptionNVD

OpenStack Ironic through 25.0.0 allows ipmitool execution in a non-default configuration that has a console interface.

AnalysisAI

Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to trigger ipmitool execution when a console interface is configured in a non-default deployment, leading to high impact on confidentiality, integrity, and availability of the bare-metal provisioning node. No public exploit identified at time of analysis, EPSS is very low (0.07%, 20th percentile), and SSVC indicates no observed exploitation, consistent with a niche operator-level flaw rather than mass-scanning risk.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege Ironic operator credentials
Delivery
Identify deployment with console interface enabled
Exploit
Send crafted Ironic API request to console driver
Execution
Trigger ipmitool execution with attacker-controlled input
Persist
Execute commands in ironic-conductor context
Impact
Pivot to managed BMCs and bare-metal nodes

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) Ironic deployed at version ≤25.0.0; (2) the non-default console interface explicitly enabled in the Ironic driver/console configuration (default deployments without a console interface are not affected); (3) network reachability to the Ironic API endpoint; and (4) valid credentials holding high Ironic operator privileges (CVSS PR:H), not ordinary tenant or guest accounts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but consistently point to a high-impact, low-likelihood issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or legitimately holds high-privilege Ironic operator credentials on an OpenStack cloud whose deployment has enabled the console interface sends an API request that drives the console driver, causing the ironic-conductor to invoke ipmitool with attacker-influenced parameters. This yields arbitrary IPMI/BMC interaction against managed bare-metal hosts and code execution in the conductor context, allowing tenant separation bypass, node tampering, or denial of service on physical hardware. …
Remediation Patch available per vendor advisory: upgrade Ironic to the fixed release referenced in OSSA-2026-008 (https://security.openstack.org/ossa/OSSA-2026-008.html); no exact fixed version is independently confirmed in the supplied data, so consult the advisory for the patched stable-branch release matching your OpenStack series. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenStack Ironic deployments at version 25.0.0 or earlier with console interfaces enabled and validate operator privilege separation controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-25982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy