The OpenStack Swift proxy server failed to strip internal update headers such as X-Container-Host, X-Container-Device, X-Delete-At-Host and X-Delete-At-Device from client requests before forwarding them to object servers. An authenticated user with write permissions can insert these headers to redirect container update requests to an attacker‑controlled server, resulting in server‑side request forgery. The forged requests can reveal internal cluster metadata, including storage policy indexes, partition mappings, device names, and, when at‑rest encryption is enabled, cipher text and initialization vectors for the container‑level encryption key. The vulnerability also allows an attacker to create “ghost listings” in arbitrary containers via the shard‑range redirect mechanism.

The issue affects OpenStack Swift releases prior to version 2.37.2. All deployments running Swift 2.36.x and earlier are susceptible as the proxy‑server component does not enforce header stripping.

The CVSS score of 5.3 indicates a medium‑risk vulnerability. Because the exploit requires authenticated write access, the attacks are likely to originate from insider or compromised user accounts. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. If an attacker can obtain the necessary authentication, the SSRF can expose sensitive cluster information and create phantom resources, thereby potentially aiding further reconnaissance or lateral movement.