Description
In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In OpenStack Ironic versions 32 through 36, an unauthenticated malicious user can send a crafted JSON string to some endpoints on the API or JSON‑RPC service, triggering a service crash. The flaw is a resource exhaustion bug (CWE‑770) and involves insecure deserialization (CWE‑502), leading to a denial of service without compromising data.

Affected Systems

The vulnerability exists in OpenStack Ironic versions 32 through 36 (before 37.0.0). Versions earlier than 32 or later than 37.0.0 are not affected according to the vendor's data.

Risk and Exploitability

With a CVSS score of 5.3, the risk is moderate. An EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation has been observed. The likely attack vector is remote; an unauthenticated attacker can issue malicious JSON to the public API endpoints and force a crash, disrupting availability of the Ironic service.

Generated by OpenCVE AI on June 23, 2026 at 13:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenStack Ironic to a version above 36 where the issue is fixed
  • Configure the Ironic API and JSON‑RPC services to require authentication before accepting requests
  • Limit access to the Ironic API endpoints to trusted networks or implement network segmentation

Generated by OpenCVE AI on June 23, 2026 at 13:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title openstack-ironic: OpenStack Ironic: Denial of Service via crafted JSON string
Weaknesses CWE-502
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 16 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Malicious JSON Crash in OpenStack Ironic

Sat, 06 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
References

Sat, 06 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic 32 through 35.0.1, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash. In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.
References

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack ironic
Vendors & Products Openstack
Openstack ironic

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Malicious JSON Crash in OpenStack Ironic

Fri, 05 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic 32 through 35.0.1, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T15:08:42.615Z

Reserved: 2026-06-04T23:59:19.739Z

Link: CVE-2026-50589

cve-icon Vulnrichment

Updated: 2026-06-06T05:18:06.298Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:09.213

Modified: 2026-06-16T20:07:42.883

Link: CVE-2026-50589

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-04T23:59:20Z

Links: CVE-2026-50589 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:45:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-770

    Allocation of Resources Without Limits or Throttling