CVE-2026-42997 OpenStack CVE debrief

Who should care

OpenStack administrators, Ironic users, and cloud infrastructure operators should be aware of this vulnerability and take immediate action to patch their systems. Security teams responsible for monitoring and incident response should also be informed.

Technical summary

The vulnerability in OpenStack Ironic occurs when a user invokes molds during import operations, allowing them to request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token, which provides access to all OpenStack services Ironic is authorized for, or basic credentials configured for molds storage. This could lead to unauthorized access to sensitive resources.

Defensive priority

HIGH

Recommended defensive actions

• Apply the patches for Ironic versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
• Restrict access to Ironic import operations to authorized users only.
• Monitor Ironic logs for suspicious import operations.
• Use secure authentication mechanisms for molds storage.
• Limit the scope of Keystone tokens used for Ironic operations.
• Regularly review and update Ironic configurations to ensure secure settings.

Evidence notes

The vulnerability was discovered in OpenStack Ironic before version 35.0.1. The affected versions are 17.0.0 to 26.1.6, 27.0.0 to 29.0.5, 30.0.0 to 32.0.1, and 33.0.0 to 35.0.1. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

Official resources