CVE-2026-42510 OpenStack CVE debrief

Who should care

OpenStack administrators and platform teams running Ironic, especially if the console interface is enabled in a non-default deployment or if privileged automation reaches the bare-metal management plane.

Technical summary

The supplied records describe a flaw in OpenStack Ironic prior to 35.0.1 where a non-default configuration with a console interface can lead to ipmitool execution. NVD metadata assigns CVSS 3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H and CWE-829. The issue is documented in an OpenStack security advisory and linked Launchpad bug, indicating vendor-recognized remediation in 35.0.1.

Defensive priority

Patch priority is moderate-to-high for any environment that enables the console interface; otherwise, keep it on the watchlist and verify the configuration is not exposed.

Recommended defensive actions

• Upgrade OpenStack Ironic to 35.0.1 or later.
• Check whether the console interface is enabled anywhere in your Ironic deployments.
• Restrict access to privileged Ironic management functions and review any automation that can reach the console path.
• Validate current configuration against the OpenStack advisory and the linked Launchpad issue.
• Review logs and administrative activity around Ironic console operations if the affected configuration was in use.

Evidence notes

The CVE description states that OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration with a console interface. NVD metadata in the supplied corpus lists CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, vulnerability status 'Awaiting Analysis,' and CWE-829. The reference set includes a Launchpad bug, OSSA-2026-008, and an oss-security disclosure post.

Official resources