Skip to main content

Ironic

8 CVEs product

Monthly

CVE-2026-54421 MEDIUM PATCH This Month

Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. Notably, the same volume properties endpoint does not exhibit this behavior on POST requests, isolating the flaw to the PATCH response serialization path. No public exploit code has been identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Red Hat Suse Ironic
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-50589 PyPI HIGH PATCH This Week

Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the bare-metal provisioning service by submitting a crafted JSON payload to certain API or JSON-RPC endpoints. CVSS 7.5 reflects high availability impact with no authentication required, though EPSS is only 0.04% (12th percentile) and SSVC marks exploitation as 'none' - no public exploit identified at time of analysis. The flaw is tracked as a CWE-770 unbounded resource consumption issue and documented in OpenStack Security Note OSSN-0099.

Denial Of Service Ironic
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44917 MEDIUM PATCH This Month

File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.

Information Disclosure Ironic
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-46447 HIGH PATCH This Week

Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.

Code Injection Ironic
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-44919 PyPI MEDIUM This Month

Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. No public exploit independently confirmed but SSVC data indicates proof-of-concept exists; EPSS sits at 0.01% (2nd percentile), consistent with low widespread exploitation likelihood despite the poc signal.

Denial Of Service Ironic
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44916 LOW Monitor

Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose sensitive information by rendering unsandboxed Jinja2 templates in the instance_info['ks_template'] parameter. The vulnerability requires high-privilege user interaction and has low confidentiality impact with no integrity or availability consequences.

Information Disclosure Ssti Ironic
NVD VulDB
CVSS 3.1
3.0
EPSS
0.0%
CVE-2026-42997 PyPI HIGH PATCH GHSA This Week

Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access.

Information Disclosure Dell Ironic
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-42510 PyPI HIGH This Week

Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to trigger ipmitool execution when a console interface is configured in a non-default deployment, leading to high impact on confidentiality, integrity, and availability of the bare-metal provisioning node. No public exploit identified at time of analysis, EPSS is very low (0.07%, 20th percentile), and SSVC indicates no observed exploitation, consistent with a niche operator-level flaw rather than mass-scanning risk.

Information Disclosure Ironic
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. Notably, the same volume properties endpoint does not exhibit this behavior on POST requests, isolating the flaw to the PATCH response serialization path. No public exploit code has been identified and the vulnerability is not listed in CISA KEV.

Information Disclosure Red Hat Suse +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the bare-metal provisioning service by submitting a crafted JSON payload to certain API or JSON-RPC endpoints. CVSS 7.5 reflects high availability impact with no authentication required, though EPSS is only 0.04% (12th percentile) and SSVC marks exploitation as 'none' - no public exploit identified at time of analysis. The flaw is tracked as a CWE-770 unbounded resource consumption issue and documented in OpenStack Security Note OSSN-0099.

Denial Of Service Ironic
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.

Information Disclosure Ironic
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.

Code Injection Ironic
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. No public exploit independently confirmed but SSVC data indicates proof-of-concept exists; EPSS sits at 0.01% (2nd percentile), consistent with low widespread exploitation likelihood despite the poc signal.

Denial Of Service Ironic
NVD VulDB
EPSS 0% CVSS 3.0
LOW Monitor

Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose sensitive information by rendering unsandboxed Jinja2 templates in the instance_info['ks_template'] parameter. The vulnerability requires high-privilege user interaction and has low confidentiality impact with no integrity or availability consequences.

Information Disclosure Ssti Ironic
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access.

Information Disclosure Dell Ironic
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to trigger ipmitool execution when a console interface is configured in a non-default deployment, leading to high impact on confidentiality, integrity, and availability of the bare-metal provisioning node. No public exploit identified at time of analysis, EPSS is very low (0.07%, 20th percentile), and SSVC indicates no observed exploitation, consistent with a niche operator-level flaw rather than mass-scanning risk.

Information Disclosure Ironic
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy