PatchSiren cyber security CVE debrief

CVE-2026-46448 OpenStack CVE debrief

A vulnerability was discovered in OpenStack Nova before version 33.0.2. The server create API does not properly strip certain hint data, which can lead to an instance being created without a Placement allocation. This issue has a CVSS score of 5.4 and is classified as MEDIUM severity.

Vendor: OpenStack
Product: Nova
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-16
Original CVE updated: 2026-06-17
Advisory published: 2026-06-16
Advisory updated: 2026-06-17

Who should care

Users of OpenStack Nova, particularly those who manage virtual machines and instances, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The OpenStack Nova server create API does not strip certain hint data, resulting in an instance with no Placement allocation. This vulnerability is identified as CVE-2026-46448 and has a CVSS score of 5.4.

Defensive priority

MEDIUM

Recommended defensive actions

Upgrade to OpenStack Nova version 33.0.2 or later to fix this vulnerability.
Review and adjust the server create API to properly strip hint data.

Evidence notes

Evidence for this CVE comes from the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) list.

Official resources

CVE-2026-46448 CVE record
CVE.org
CVE-2026-46448 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

CVE-2026-46448 was published on 2026-06-16T20:16:41.697Z and modified on 2026-06-16T20:42:25.013Z.