Description
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
Published: 2026-06-04
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenStack Mistral versions up to 22.0.0 expose a set of API endpoints that can be used to execute arbitrary code. An attacker that can reach the vulnerable API endpoint will be able to run code with the permissions of the Mistral service process, potentially leading to disclosure of credentials and other sensitive system information. The weakness is a failure to restrict the execution of user-supplied code and is classified as CWE‑863.

Affected Systems

The vulnerability affects the OpenStack Mistral service, specifically all releases through 22.0.0. Users running these versions should verify that the API is not publicly accessible from untrusted networks.

Risk and Exploitability

The CVSS score is 9.9, indicating critical severity. EPSS data is not available, so the current exploitation probability cannot be determined, but the absence of a KEV listing does not mitigate the high potential impact. If the Mistral API is exposed to potentially hostile networks, an attacker can invoke the vulnerable endpoints and achieve full code execution on the host where Mistral runs.

Generated by OpenCVE AI on June 4, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of OpenStack Mistral that contains the fix for this vulnerability
  • Configure network controls to restrict the Mistral API endpoint to trusted hosts or internal networks only
  • Enable auditing and monitor the Mistral logs for suspicious API activity

Generated by OpenCVE AI on June 4, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Remote Code Execution via Exposed Mistral API Endpoints

Thu, 04 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T03:44:52.568Z

Reserved: 2026-04-20T00:00:00.000Z

Link: CVE-2026-41283

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T04:17:12.700

Modified: 2026-06-04T04:17:12.700

Link: CVE-2026-41283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T06:00:08Z

Weaknesses