Description
OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.
Published: 2026-06-04
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenStack Ironic before version 35.0.2 contains a weakness that permits a user with the project administrator or manager role to read arbitrary local files on the conductor through a PXE template. This leads to confidentiality loss of sensitive configuration or system data, as the vulnerability is a file read flaw classified as CWE-669. The impact is confined to information disclosure; there is no direct code execution or denial of service described.

Affected Systems

Affected product is OpenStack Ironic, versions prior to 35.0.2. The vulnerability applies to all deployments that use the Ironic conductor component with default role assignments for project admins or managers.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is internal: an attacker must be authenticated with sufficient project privileges to modify or access a PXE template; no remote exploitation or unprivileged attack is implied. Exploitation requires the attacker to deliberately load a crafted template that references sensitive local paths, then retrieve them via the conductor service.

Generated by OpenCVE AI on June 4, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Ironic to version 35.0.2 or later to remove the flaw.
  • If an immediate upgrade is not feasible, limit the ability of project admin or manager roles to modify PXE templates by adjusting role assignments or applying role‑based access controls.
  • Enforce least‑privilege for all users that can access the conductor service and monitor logs for suspicious file read activity.

Generated by OpenCVE AI on June 4, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6341-1 ironic security update
History

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Title Authenticated Project Admin File Read via PXE Template in OpenStack Ironic

Thu, 04 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.
First Time appeared Openstack
Openstack ironic
Weaknesses CWE-669
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack ironic
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-04T13:07:33.838Z

Reserved: 2026-05-08T00:00:00.000Z

Link: CVE-2026-44917

cve-icon Vulnrichment

Updated: 2026-06-04T05:40:39.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T04:17:14.853

Modified: 2026-06-04T18:40:49.520

Link: CVE-2026-44917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T07:00:09Z

Weaknesses
  • CWE-669

    Incorrect Resource Transfer Between Spheres