Description
ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually.
Published: 2026-01-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Fix
AI Analysis

Impact

A malformed TimeProfile in ManageIQ can trigger timeouts on both the user interface and subsequent API calls, effectively freezing the platform and preventing legitimate users from accessing services. The vulnerability stems from improper input validation, allowing an attacker to craft a TimeProfile that causes the system to hang during processing. If the fault is exploited repeatedly, overall availability of the management platform is degraded, potentially impacting multiple applications that depend on it for configuration and monitoring.

Affected Systems

The issue applies to the ManageIQ open‑source management platform in all releases prior to the radjabov-2 branch, which introduced the necessary guardrails. The affected versions are the default releases until radjabov-2 is deployed, while radjabov-2 and later releases contain a patch that deletes the vulnerability.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating high severity, but its EPSS score is reported as under one percent, implying exploitation is currently unlikely. The weakness is identified as CWE‑20 (Improper Input Validation). Because the flaw is triggered through the public API, an attacker only needs to send a crafted TimeProfile payload, with no additional system privilege required. The KEV status is not listed, meaning no known commercial exploits have been reported yet, though the impact on availability makes it a high‑risk issue for exposed installations.

Generated by OpenCVE AI on April 18, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ManageIQ radjabov-2 or a later release where the patch is integrated
  • If an upgrade is delayed, apply the manual patch from the provided commit to recreate the validation in older versions
  • Implement API input validation or rate limiting to block malformed TimeProfile creation attempts and monitor system logs for abuse

Generated by OpenCVE AI on April 18, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Manageiq
Manageiq manageiq
Vendors & Products Manageiq
Manageiq manageiq

Wed, 21 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually.
Title ManageIQ vulnerable to DoS Attack when creating TimeProfiles
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Manageiq Manageiq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T21:35:27.687Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22598

cve-icon Vulnrichment

Updated: 2026-01-21T21:35:22.036Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T21:16:09.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses