Description
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
Published: 2026-02-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Vitrage query parser allows a user with API access to craft a malicious query that triggers execution of arbitrary code on the host where the Vitrage service runs. This flaw can lead to unauthorized access to the host, compromising the entire Vitrage instance and potentially the underlying infrastructure. The weakness corresponds to operating‑system command injection and is identified as CWE‑95.

Affected Systems

OpenStack Vitrage in releases prior to 12.0.1, 13.0.0, 14.0.0, and 15.0.0 is affected. The vulnerability is present in all deployments that expose the Vitrage API, regardless of network location.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity. The low EPSS score (<1%) suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires a user who is allowed to use the Vitrage API to submit a crafted query; from there the code runs with the service’s system privileges. Organizations should therefore treat any exposed Vitrage API as a high‑risk surface.

Generated by OpenCVE AI on April 17, 2026 at 14:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Vitrage to the latest available release (12.0.1 or newer) to apply the query‑parser patch.
  • Restrict API access to trusted administrators only and consider placing the Vitrage endpoint behind network segmentation or a firewall to limit exposure.
  • Configure the Vitrage service to run under a non‑privileged user account to limit damage in case of exploitation.

Generated by OpenCVE AI on April 17, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8xwf-cr4r-856r OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection
History

Thu, 05 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack vitrage
CPEs cpe:2.3:a:openstack:vitrage:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack vitrage

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Openstack Vitrage
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-05T04:34:01.128Z

Reserved: 2026-02-27T04:52:33.518Z

Link: CVE-2026-28370

cve-icon Vulnrichment

Updated: 2026-03-05T04:34:01.128Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T05:18:20.757

Modified: 2026-03-05T05:16:37.117

Link: CVE-2026-28370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses