CVE-2026-40212

Vulnerability

Details

OpenStack Skyline Console versions prior to 5.0.1, as well as versions 6.0.0 and 7.0.0, are vulnerable to a DOM-based Cross-Site Scripting (XSS) in the instance console log viewer [1][3]. The root cause is the unsafe use of document.write() to render console log output in a new browser window without any sanitization or escaping [1]. The log content (data.output) is directly embedded into the HTML, allowing any injected HTML or JavaScript to be interpreted as active content [1].

Exploitation

A non-administrative cloud user can inject malicious HTML or JavaScript into a virtual machine's console output, for example via instance user-data or runtime console messages written to /dev/console [1]. When an administrator clicks "View Full Log" in the Skyline UI, the frontend opens a new browser window and writes the unsanitized console output using document.write() [1][2]. Although the new window displays about:blank, it inherits the origin of the Skyline Console application, enabling the injected script to execute with full access to authenticated Skyline resources [1].

Impact

Successful exploitation results in DOM-based XSS executed in the Skyline Console origin [1]. An attacker can access authenticated session data and interact with Skyline administrative APIs, potentially compromising the entire OpenStack deployment [1][3].

Mitigation

Patches are available in Skyline Console versions 5.0.1, 8.0.0, and later [3]. Operators are advised to upgrade immediately. As a workaround, administrators should restrict or avoid using the "View Full Log" feature for instances where console output may be influenced by untrusted users [3].