Description
In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
Published: 2026-06-14
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenStack Ironic versions up to 35.0.1 allow an authenticated user to perform a PATCH request on volume properties and receive unredacted information, including iSCSI credentials. The weakness is a CWE‑212 type data leak, providing an attacker with details that could lead to compromise of storage systems or further lateral movement. The POST operation behaves correctly and does not reveal sensitive data, so the issue is specific to the PATCH path.

Affected Systems

The vulnerability affects the OpenStack Ironic service, specifically all releases through 35.0.1. Any deployment using these versions that permits volume property modifications is at risk.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, while the EPSS score is not available, suggesting no current data on exploit probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is internal or delegated use of a PATCH operation on authorized volume properties, allowing the attacker to retrieve credentials that were intended to remain confidential.

Generated by OpenCVE AI on June 14, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch that upgrades Ironic to version 35.0.2 or later, which redacts sensitive data in PATCH responses
  • Restrict PATCH permissions to only users who require access to modify volume properties, minimizing the number of users who can trigger the exposure
  • Audit logs for PATCH requests on volume properties and correlate any anomalous attempts with user activity to detect exploitation attempts

Generated by OpenCVE AI on June 14, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Ironic Unredacted Credentials via Volume Properties PATCH

Sun, 14 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
First Time appeared Openstack
Openstack ironic
Weaknesses CWE-212
CPEs cpe:2.3:a:openstack:ironic:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack ironic
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Openstack Ironic
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-14T03:49:37.996Z

Reserved: 2026-06-14T03:49:37.600Z

Link: CVE-2026-54421

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T04:16:30.927

Modified: 2026-06-14T04:16:30.927

Link: CVE-2026-54421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T05:30:07Z

Weaknesses
  • CWE-212

    Improper Removal of Sensitive Information Before Storage or Transfer