GHSA-vxvx-hwwh-pp7c
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H
Requires an authenticated deploy-capable Ironic user (PR:H) reaching the API over the network (AV:N/AC:L); the bypass crosses into the node BMC (S:C) with high availability impact from arbitrary IPMI control.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H
Lifecycle Timeline
6Description PRE-NVD
AnalysisAI
Access-control bypass in OpenStack Ironic before 37.0.1 lets an Ironic user who is authorized to deploy nodes via the IPMI management interface invoke the send_raw deploy step to issue arbitrary IPMI commands directly to a node's BMC, sidestepping the permission model Ironic normally enforces on management actions. This is an authenticated privilege-boundary flaw (CVSS 8.2, PR:H) affecting bare-metal provisioning environments; no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Ironic user (PR:H) who already possesses the ability to deploy nodes and whose target node uses the IPMI management interface; the specific enabling feature is the send_raw deploy step, which passes arbitrary IPMI commands to the node BMC. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H, base 8.2) indicates network reachability, low complexity, and - critically - high privileges required, so this is not an unauthenticated internet-facing bug but an abuse-of-authorization by an already-trusted Ironic user with deploy rights. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant or operator holding Ironic deploy rights on an IPMI-managed node crafts a deployment that invokes the send_raw step with attacker-chosen IPMI command bytes, e.g. to force a chassis power control, alter boot settings, or manipulate the BMC beyond their intended authorization. … |
| Remediation | Vendor-released patch: upgrade OpenStack Ironic to 37.0.1 or later, which corrects the access-control enforcement on the send_raw deploy step (see OSSA-2026-025 at https://security.openstack.org/ossa/OSSA-2026-025.html and launchpad bug 2150458). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Ironic deployments and audit current authorization levels for users with IPMI deployment permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-424 – Improper Protection of Alternate Path
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42781