Skip to main content

OpenStack Ironic EUVDEUVD-2026-34181

| CVE-2026-46447 HIGH
Incorrect Resource Transfer Between Spheres (CWE-669)
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
7.7 HIGH

Ironic API is network-reachable and requires a low-privilege tenant account (AV:N/AC:L/PR:L); injected boot script crosses to the provisioned node (S:C) tampering integrity only, with no data disclosure or DoS.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

9
Analysis Updated
Jun 15, 2026 - 23:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 23:22 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 23:22 NVD
MEDIUM HIGH
CVSS changed
Jun 15, 2026 - 23:22 NVD
5.8 (MEDIUM) 7.7 (HIGH)
Re-analysis Queued
Jun 15, 2026 - 23:22 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 23:22 NVD
MEDIUM HIGH
CVSS changed
Jun 15, 2026 - 23:22 NVD
5.8 (MEDIUM) 7.7 (HIGH)
CVSS changed
Jun 04, 2026 - 04:22 NVD
5.8 (MEDIUM)
Analysis Generated
Jun 03, 2026 - 18:18 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Ironic API credentials
Delivery
Submit crafted node/deploy parameters
Exploit
Malicious content embedded in generated boot script
Execution
Target node initiates Ironic-driven boot
Persist
Injected directives execute in boot environment
Impact
Integrity of provisioned bare-metal host compromised

Vulnerability AssessmentAI

Exploitation Exploitation requires an account with at least low-privilege access to the Ironic API (CVSS PR:L) and network reachability to that API, which in typical OpenStack deployments is the management/provisioning network rather than the public internet. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but converge on a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with low-privilege access to the Ironic API (or a compromised tenant in a multi-tenant bare-metal cloud) submits crafted node attributes or deploy parameters that are incorporated into the boot script Ironic generates. When the target bare-metal node next boots via Ironic's provisioning workflow, the injected directives execute in the boot environment, altering the integrity of the provisioned host. …
Remediation Patch available per vendor advisory: apply the Ironic update referenced in OSSA-2026-017 (https://security.openstack.org/ossa/OSSA-2026-017.html) and, on Ubuntu, install the packages from USN-8421-1 (https://ubuntu.com/security/notices/USN-8421-1); exact fix versions are not enumerated in the supplied intelligence, so consult the OSSA stable-branch backport list before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all OpenStack Ironic deployments in production; document installed versions and scope of managed bare-metal assets (count of provisioned systems per cluster). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy