Description
OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
Published: 2026-06-03
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenStack Ironic versions prior to 35.0.2 allow an attacker with the ability to set node.driver_info or node.instance_info to inject a malicious iPXE script. When the node boots, the supplied script is executed, giving the attacker remote code execution on the physical host. This flaw is a typical code‑injection weakness and could lead to full compromise of the node and potentially the entire OpenStack environment.

Affected Systems

All OpenStack Ironic installations running a version earlier than 35.0.2 are vulnerable. The issue resides in the node provisioning workflow that accepts user‑supplied data without proper validation.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. The vulnerability requires the attacker to have write access to the Ironic API or web interface to set node.driver_info or node.instance_info. Therefore it is likely limited to users with administrative or privileged roles. If an attacker gains such access, they can inject a malicious iPXE script that will run during the node boot, potentially yielding full control over that node.

Generated by OpenCVE AI on June 4, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading OpenStack Ironic to version 35.0.2 or newer.
  • Restrict write permission on node.driver_info and node.instance_info to users with administrative privileges only, enforcing strict role‑based access control.
  • Sanitize any data supplied to node.driver_info or node.instance_info before storing or executing; reject content that could be interpreted as executable code, mitigating the underlying CWE‑669.

Generated by OpenCVE AI on June 4, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6341-1 ironic security update
History

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Title Boot Script Injection via iPXE Script in OpenStack Ironic Node Configuration

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Title Boot Script Injection in OpenStack Ironic 35.0.x
Weaknesses CWE-730

Thu, 04 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description OpenStack Ironic through 35.0.x allows Boot Script Injection. OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
Weaknesses CWE-669
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N'}

Wed, 03 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Boot Script Injection in OpenStack Ironic 35.0.x
Weaknesses CWE-730

Wed, 03 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack ironic
Vendors & Products Openstack
Openstack ironic

Wed, 03 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 03 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenStack Ironic through 35.0.x allows Boot Script Injection.
References

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T22:40:19.590Z

Reserved: 2026-05-14T00:00:00.000Z

Link: CVE-2026-46447

cve-icon Vulnrichment

Updated: 2026-06-15T22:40:19.590Z

cve-icon NVD

Status : Modified

Published: 2026-06-03T22:16:34.793

Modified: 2026-06-15T23:16:45.173

Link: CVE-2026-46447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T09:00:12Z

Weaknesses
  • CWE-669

    Incorrect Resource Transfer Between Spheres