High severity8.1NVD Advisory· Published Aug 3, 2025· Updated Apr 15, 2026

CVE-2025-54955

Description

OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.

Affected products

Stolichnayer/Opennebula Account Takeoverreferences

Patches

4610231fa77c

https://github.com/OpenNebula/onevia osv

81058d9705e7

https://github.com/OpenNebula/onevia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

docs.opennebula.io/6.10/intro_release_notes/release_notes_enterprise/resolved_issues_6103.htmlnvd
github.com/OpenNebula/one/commit/81058d9705e7ac619d294423de28b76d88f613b6nvd
github.com/OpenNebula/one/releases/tag/release-7.0.0nvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000