PT-2026-22298 · Openstack · Openstack Vitrage
Khalil Lemtaffah
·
Published
2026-02-27
·
Updated
2026-03-08
·
CVE-2026-28370
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenStack Vitrage versions prior to 12.0.1, 13.0.0, 14.0.0, and 15.0.0
Description
A flaw exists in the query parser of OpenStack Vitrage that could allow a user with access to the Vitrage API to trigger code execution on the Vitrage service host. This occurs within the
create query function function located in vitrage/graph/query.py. Successful exploitation could lead to unauthorized access to the host and compromise of the Vitrage service. The issue stems from improper handling of user-supplied input.Recommendations
OpenStack Vitrage versions prior to 12.0.1 should be updated.
OpenStack Vitrage versions prior to 13.0.0 should be updated.
OpenStack Vitrage versions prior to 14.0.0 should be updated.
OpenStack Vitrage versions prior to 15.0.0 should be updated.
Exploit
Fix
RCE
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Vitrage