Description
In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
Published: 2026-05-08
Score: 3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in OpenStack Ironic allows untrusted ks_template data to be rendered unsafely in versions before 35.0.2 and when a non‑default configuration is used. This unsandboxed rendering creates a template injection flaw. Based on the description, it is inferred that an attacker might be able to execute arbitrary template code within the Ironic service, potentially compromising the integrity and confidentiality of the environment and its managed data.

Affected Systems

OpenStack Ironic releases before version 35.0.2 are affected when a non‑default configuration is used. Deployments running those versions with user‑supplied ks_template content are vulnerable; newer releases (35.0.2 and later) are not confirmed to contain the issue.

Risk and Exploitability

The CVSS score of 3 indicates low severity. The EPSS score of <1% indicates a very low probability of exploitation. It is not listed in CISA’s KEV catalog. The likely attack vector is user‑supplied instance metadata that includes a ks_template payload; an attacker with privileges to submit such metadata could exploit the flaw. Because the vulnerability requires input from a user of the Ironic service, exploitation is limited to those with provisioning rights.

Generated by OpenCVE AI on May 12, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Ironic to version 35.0.2 or later.
  • If an immediate upgrade is not feasible, limit the use of user‑supplied ks_template content by restricting provision scripts to trusted templates only.
  • Monitor OpenStack security advisories and apply the official fix or workaround as soon as it is released.

Generated by OpenCVE AI on May 12, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 03:15:00 +0000

Type Values Removed Values Added
Title Template Injection via Unsandboxed ks_template Rendering in OpenStack Ironic

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing. In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 08:30:00 +0000

Type Values Removed Values Added
Title Template Injection via Unsandboxed ks_template Rendering in OpenStack Ironic
First Time appeared Openstack
Openstack ironic
Vendors & Products Openstack
Openstack ironic

Fri, 08 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-20T15:04:18.146Z

Reserved: 2026-05-08T06:38:36.747Z

Link: CVE-2026-44916

cve-icon Vulnrichment

Updated: 2026-05-11T17:40:03.179Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T07:16:29.163

Modified: 2026-05-20T16:16:25.813

Link: CVE-2026-44916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T03:00:06Z

Weaknesses