Description
OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.
Published: 2026-03-31
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Now
AI Analysis

Impact

This vulnerability is a Server‑Side Request Forgery that permits an authenticated user to trigger HTTP redirects during image import. By bypassing normal URL validation, Glance can reach internal network services, potentially exposing private resources or enabling internal reconnaissance. The flaw aligns with CWE‑918, and no evidence suggests it leads to remote code execution or denial of service.

Affected Systems

Affected installations are OpenStack Glance versions earlier than 29.1.1, any 30.x release prior to 30.1.1, and the 31.0.0 release. Only the image import pathways—web‑download, glance‑download, and the optional ovf_process plugin—are susceptible. Users must have authentication and the privilege to initiate image import for exploitation.

Risk and Exploitability

The CVSS score is 5, indicating moderate severity, EPSS is below 1 %, showing a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Based on the description, the attack requires an authenticated user to supply a crafted URL that redirects to an internal endpoint; therefore the likely attack vector is credentialed internal administration. If an attacker directs Glance to an internal service, they may obtain sensitive data or pivot further inside the network.

Generated by OpenCVE AI on April 14, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch described in the OpenStack OSSA‑2026‑004 advisory or upgrade Glance to a version equal or newer than 29.1.1, 30.1.1, or 31.0.1.
  • If an upgrade is not possible, disable the web‑download and glance‑download import methods or the ovf_process plugin until a patch can be applied.
  • Configure Glance’s outbound network rules to block or whitelist HTTP redirects, preventing the service from reaching internal IP ranges.
  • Monitor Glance logs for unexpected redirect attempts and review any traffic that bypasses the usual validation checks.

Generated by OpenCVE AI on April 14, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mc26-q38v-83gv OpenStack Glance is affected by Server-Side Request Forgery (SSRF)
History

Tue, 14 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openstack:glance:31.0.0:*:*:*:*:*:*:*

Mon, 06 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Title OpenStack Glance: OpenStack Glance: Server-Side Request Forgery via HTTP redirects in image import
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title OpenStack Glance SSRF via HTTP Redirects in Image Import

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin. OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.
CPEs cpe:2.3:a:openstack:glance:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title OpenStack Glance SSRF via HTTP Redirects in Image Import
First Time appeared Openstack
Openstack glance
Vendors & Products Openstack
Openstack glance

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description OpenStack Glance <29.1.1, >=30.0.0 <30.1.1, ==31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Openstack Glance
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T18:20:21.022Z

Reserved: 2026-03-31T05:29:07.975Z

Link: CVE-2026-34881

cve-icon Vulnrichment

Updated: 2026-03-31T13:47:25.950Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T06:16:01.130

Modified: 2026-04-14T01:51:48.620

Link: CVE-2026-34881

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T05:29:08Z

Links: CVE-2026-34881 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:29Z

Weaknesses