CVE-2026-44916 OpenStack CVE debrief

Who should care

Operators and maintainers running OpenStack Ironic, especially environments that use the affected non-default ks_template configuration. Security teams that track OpenStack advisories and package updates should also review exposure.

Technical summary

NVD lists CVE-2026-44916 with CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and CWE-1336. The issue affects OpenStack Ironic before 35.0.2 and involves rendering instance_info['ks_template'] without sandboxing in a non-default configuration. Based on the provided record, the impact is limited and the CVSS score is 3.0 (LOW).

Defensive priority

Low, but worth addressing during normal maintenance because the issue is publicly disclosed and a fixed release is available.

Recommended defensive actions

• Upgrade OpenStack Ironic to 35.0.2 or later.
• Check whether your deployment uses the affected non-default ks_template configuration.
• Review configuration management and deployment templates for any use of instance_info['ks_template'].
• Monitor the linked OpenStack security advisory and package/vendor update channels for remediation guidance.
• If you cannot upgrade immediately, document affected hosts and limit exposure through change control and configuration review.

Evidence notes

All facts in this debrief are drawn from the supplied CVE record and its cited references. The CVE metadata shows publishedAt 2026-05-08T07:16:29.163Z and modifiedAt 2026-05-20T16:16:25.813Z. The description states the issue is in OpenStack Ironic before 35.0.2 and concerns unsandboxed rendering of instance_info['ks_template'] in a certain non-default configuration. NVD metadata lists CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and CWE-1336, and the references include Launchpad bug 2148307, OSSA-2026-012, and an oss-security post.

Official resources