Description
An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
Published: 2026-05-05
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During an Ironic import operation, a user can invoke molds and request that an authorization credential be sent to a remote endpoint. The forwarded credential is a time‑limited Keystone token that authorizes access to all OpenStack services for which Ironic is permitted, or basic credentials configured for molds storage. This flaw enables the accidental or malicious disclosure of privileged tokens, allowing an attacker to impersonate the user or gain unauthorized access to critical OpenStack resources.

Affected Systems

The vulnerability affects OpenStack Ironic before version 35.0.1. The patched releases that address the issue are 26.1.6, 29.0.5, 32.0.1, and 35.0.1. Any deployment running an older release is at risk.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. Exploitation requires the ability to trigger a molds import, after which a valid Keystone token is automatically forwarded to an arbitrary remote host specified by the requester. The attack surface is therefore limited to environments where Ironic import controls are accessible, but the impact of leaking a privileged token is substantial. With EPSS unavailable and the vulnerability not listed in KEV, the likelihood of exploitation remains uncertain, yet the potential damage warrants prompt remediation.

Generated by OpenCVE AI on May 5, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Ironic to one of the fixed releases 26.1.6, 29.0.5, 32.0.1, or 35.0.1.
  • Disable or restrict the molds import feature if an immediate upgrade is not possible.
  • Configure Ironic to limit remote endpoints for credential forwarding to trusted, internal hosts.

Generated by OpenCVE AI on May 5, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 06:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.
First Time appeared Openstack
Openstack ironic
Weaknesses CWE-669
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack ironic
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T06:12:45.933Z

Reserved: 2026-05-01T00:00:00.000Z

Link: CVE-2026-42997

cve-icon Vulnrichment

Updated: 2026-05-05T19:32:05.605Z

cve-icon NVD

Status : Received

Published: 2026-05-05T19:16:22.817

Modified: 2026-05-06T07:16:01.850

Link: CVE-2026-42997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T19:30:30Z

Weaknesses