Description
In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.
Published: 2026-05-08
Score: 3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in OpenStack Ironic allows untrusted ks_template data to be rendered without sandboxing, creating a template injection flaw. This flaw could enable malicious template code to be executed in the context of the Ironic service. The impact would be limited to the integrity and confidentiality of the Ironic environment and the data it manages, rather than a full system compromise.

Affected Systems

OpenStack Ironic releases up to and including the 35.x series are affected. Only deployments using these versions are impacted; newer releases have not been confirmed to contain the issue.

Risk and Exploitability

The CVSS score of 3 indicates a low severity risk, and no EPSS score is available for this vulnerability. It is not listed in CISA’s KEV catalog. The likely attack vector is user-supplied instance metadata that includes a ks_template payload; an attacker with privileges to submit such metadata could exploit the flaw. Because the vulnerability requires input from a user of the Ironic service, exploitation is limited to those with provisioning rights.

Generated by OpenCVE AI on May 8, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Ironic to a version where the ks_template sandboxing issue is fixed.
  • If an immediate upgrade is not feasible, limit the use of user-supplied ks_template content by restricting provision scripts to trusted templates only.
  • Monitor OpenStack security advisories and apply the official fix or workaround as soon as it is released.

Generated by OpenCVE AI on May 8, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 08:30:00 +0000

Type Values Removed Values Added
Title Template Injection via Unsandboxed ks_template Rendering in OpenStack Ironic
First Time appeared Openstack
Openstack ironic
Vendors & Products Openstack
Openstack ironic

Fri, 08 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T12:50:35.499Z

Reserved: 2026-05-08T06:38:36.747Z

Link: CVE-2026-44916

cve-icon Vulnrichment

Updated: 2026-05-08T12:50:32.076Z

cve-icon NVD

Status : Received

Published: 2026-05-08T07:16:29.163

Modified: 2026-05-08T07:16:29.163

Link: CVE-2026-44916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T08:30:04Z

Weaknesses