Skip to main content

OpenStack Ironic EUVDEUVD-2026-36658

| CVE-2026-54421 MEDIUM
Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)
2026-06-14 mitre GHSA-j4cw-mcg2-2q78
6.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.8 MEDIUM

Ironic API is network-accessible; PR:H because operator privileges are required; S:C because iSCSI credential leakage impacts storage systems outside Ironic; I:N and A:N because only information disclosure occurs.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 14, 2026 - 04:12 vuln.today

DescriptionCVE.org

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.

AnalysisAI

Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Ironic operator-level API credentials
Delivery
Identify node with iSCSI volume targets configured
Exploit
Issue PATCH request to volume connector or volume target endpoint
Execution
Capture unredacted iSCSI CHAP credentials from API response
Persist
Authenticate directly to iSCSI storage target
Impact
Access underlying block storage outside Ironic authorization controls

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Ironic operator- or admin-level session with sufficient RBAC permissions to issue PATCH requests against volume connector or volume target resources on at least one node (PR:H per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.8 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N is well-calibrated: the network attack vector and low complexity reflect straightforward API exploitation, but PR:H meaningfully constrains the threat surface to already-privileged Ironic operators or administrators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An Ironic operator-level user with legitimate API credentials issues a PATCH request to update a non-sensitive authorized field (such as a volume connector property) on a node that has iSCSI volume targets configured with CHAP authentication. The Ironic API processes the update and returns the full updated resource representation, including unredacted iSCSI CHAP username and secret. …
Remediation Upgrade OpenStack Ironic to a version beyond 35.0.1 once a patched release is published; monitor the Launchpad bug report at https://bugs.launchpad.net/ironic/+bug/2155049 for fix confirmation and exact patched version, as no specific fixed release was confirmed in the available input data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

Bug #1140012
ironic
Release Status Fixed Version Urgency
bullseye vulnerable 1:16.0.3-1 -
bookworm vulnerable 1:21.1.0-3 -
bookworm (security) vulnerable 1:21.4.4-0+deb12u1 -
trixie vulnerable 1:29.0.0-7 -
trixie (security) vulnerable 1:29.0.5-0+deb13u2 -
forky, sid vulnerable 1:35.0.1-5 -
(unstable) fixed (unfixed) -

SUSE

Severity: Moderate

Share

EUVD-2026-36658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy