VYPR
← All advisories
Critical severity9.9NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-41283

CVE-2026-41283

Description

OpenStack Mistral versions prior to 22.0.0 are vulnerable to arbitrary remote code execution via API endpoints, allowing credential exfiltration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenStack Mistral versions prior to 22.0.0 are vulnerable to arbitrary remote code execution via API endpoints, allowing credential exfiltration.

Vulnerability

Several API endpoints in OpenStack Mistral versions 20.0.0 through 22.0.0 do not properly enforce access policies. This vulnerability allows any authenticated user to bypass policy controls and execute arbitrary code.

Exploitation

An attacker with authenticated access to the Mistral API can exploit this vulnerability by interacting with specific endpoints that lack proper policy enforcement. This allows them to execute arbitrary code on the affected system.

Impact

Successful exploitation of this vulnerability allows an attacker to achieve arbitrary remote code execution. This can lead to the exfiltration of sensitive service credentials, compromising the integrity and confidentiality of the OpenStack environment.

Mitigation

OpenStack Mistral versions 20.0.0 to 22.0.0 are affected. A fix is available in Mistral version 20.1.1 and later. Users are advised to upgrade to a patched version as soon as possible. The release date for the fixed versions is not explicitly stated in the provided references, but version 20.1.1 is mentioned as a fix [2].

References
  1. security - [OSSA-2026-020] OpenStack Mistral: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution (CVE-2026-41283)

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OpenStack/Mistralreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=22.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

1