PT-2026-38679 · Openstack · Openstack Ironic
Dmitry Tantsur
+1
·
Published
2026-05-08
·
Updated
2026-05-20
·
CVE-2026-44916
CVSS v3.1
3.0
Low
| Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenStack Ironic versions prior to 36.0
Description
In OpenStack Ironic, the
ks template variable within instance info is rendered without sandboxing. Sandboxing is a security mechanism that isolates executing code to prevent it from accessing or modifying unauthorized parts of the system.Recommendations
Update to a version later than 35.x.
As a temporary workaround, restrict access to the
ks template variable within instance info to minimize the risk of exploitation.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Ironic