Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated remote JSON payload crashes the service with no user interaction, no confidentiality or integrity impact, only high availability impact.
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
In OpenStack Ironic 32 through 35.0.1, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.
AnalysisAI
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the bare-metal provisioning service by submitting a crafted JSON payload to certain API or JSON-RPC endpoints. CVSS 7.5 reflects high availability impact with no authentication required, though EPSS is only 0.04% (12th percentile) and SSVC marks exploitation as 'none' - no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to either the Ironic REST API or the JSON-RPC service on an OpenStack deployment running Ironic version 32 through 35.0.1, and the ability to submit a crafted JSON body to one of the affected endpoints; no authentication, user interaction, or non-default configuration is needed per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals diverge meaningfully here: CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) frames this as a high-severity remotely reachable DoS, and SSVC flags it as automatable with partial technical impact, both of which argue for prompt patching in environments where the Ironic API or JSON-RPC port is reachable by untrusted networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to the Ironic API or JSON-RPC port sends a single crafted JSON request to a vulnerable endpoint without authenticating, causing the Ironic service process to crash and halting bare-metal provisioning and node management until the daemon is restarted. Repeated submissions can keep the service unavailable, disrupting tenant deployments and any automation that depends on Ironic. … |
| Remediation | Upstream fix available per OSSN-0099 and the Launchpad bug; a released patched version is not independently confirmed from the input data, so operators should consult OSSN-0099 (https://wiki.openstack.org/wiki/OSSN/OSSN-0099) and the Ironic stable branch advisories to identify the specific 35.0.x or later point release that contains the fix and upgrade accordingly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenStack Ironic deployments; confirm which systems run versions 32, 33, 34, or 35.0.1; document network exposure of API and JSON-RPC endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34774
GHSA-q3g8-rjrx-59ph