Skip to main content

OpenStack Ironic EUVDEUVD-2026-42781

| CVE-2026-54423 HIGH
Improper Protection of Alternate Path (CWE-424)
8.2
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H
vuln.today AI
8.2 HIGH

Requires an authenticated deploy-capable Ironic user (PR:H) reaching the API over the network (AV:N/AC:L); the bypass crosses into the node BMC (S:C) with high availability impact from arbitrary IPMI control.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

6
Patch available
Jul 10, 2026 - 05:01 EUVD
Analysis Updated
Jul 10, 2026 - 04:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 04:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 04:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 04:22 NVD
8.2 (HIGH)
Analysis Generated
Jul 08, 2026 - 17:05 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Access-control bypass in OpenStack Ironic before 37.0.1 lets an Ironic user who is authorized to deploy nodes via the IPMI management interface invoke the send_raw deploy step to issue arbitrary IPMI commands directly to a node's BMC, sidestepping the permission model Ironic normally enforces on management actions. This is an authenticated privilege-boundary flaw (CVSS 8.2, PR:H) affecting bare-metal provisioning environments; no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as deploy-capable Ironic user
Delivery
Target an IPMI-managed node
Exploit
Invoke send_raw deploy step
Execution
Bypass Ironic access control
Persist
Send arbitrary IPMI commands to BMC
Impact
Disrupt or reconfigure hardware

Vulnerability AssessmentAI

Exploitation Requires an authenticated Ironic user (PR:H) who already possesses the ability to deploy nodes and whose target node uses the IPMI management interface; the specific enabling feature is the send_raw deploy step, which passes arbitrary IPMI commands to the node BMC. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H, base 8.2) indicates network reachability, low complexity, and - critically - high privileges required, so this is not an unauthenticated internet-facing bug but an abuse-of-authorization by an already-trusted Ironic user with deploy rights. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant or operator holding Ironic deploy rights on an IPMI-managed node crafts a deployment that invokes the send_raw step with attacker-chosen IPMI command bytes, e.g. to force a chassis power control, alter boot settings, or manipulate the BMC beyond their intended authorization. …
Remediation Vendor-released patch: upgrade OpenStack Ironic to 37.0.1 or later, which corrects the access-control enforcement on the send_raw deploy step (see OSSA-2026-025 at https://security.openstack.org/ossa/OSSA-2026-025.html and launchpad bug 2150458). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Ironic deployments and audit current authorization levels for users with IPMI deployment permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy