Skip to main content

OpenStack Ironic EUVDEUVD-2026-34202

| CVE-2026-44917 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 04, 2026 - 05:00 EUVD
CVSS changed
Jun 04, 2026 - 04:22 NVD
4.9 (MEDIUM)
Analysis Generated
Jun 03, 2026 - 18:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Ironic operator credentials
Delivery
Craft malicious pxe_template payload
Exploit
Submit via Ironic API to conductor
Execution
Conductor reads attacker-specified file path
Persist
Sensitive file contents returned to attacker
Impact
Leverage extracted secrets for lateral movement

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid Ironic API credential at the operator privilege level sufficient to create or modify bare metal nodes with custom pxe_template parameters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector has been published for this CVE, which prevents definitive scoring of attack vector, complexity, or privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Ironic operator submits a node or template provisioning request containing a crafted pxe_template value that includes a path traversal sequence or template directive referencing a sensitive file on the conductor host, such as /etc/ironic/ironic.conf or SSH private keys in the conductor's home directory. The conductor processes the template and the extracted file contents are returned to the attacker via the API or rendered into accessible provisioning artifacts. …
Remediation The primary fix is to apply the upstream Gerrit patches: review.opendev.org/c/openstack/ironic/+/991373 for the bugfix/33.0 line and review.opendev.org/c/openstack/ironic/+/991370 for the bugfix/34.0 line. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy