High severity7.7NVD Advisory· Published May 5, 2026· Updated May 7, 2026

CVE-2026-42997

Description

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.

Affected products

Pachno/Ironicinferred
Range: <35.0.1
Package: https://pypi.org/project/ironic

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-54w4-233h-x86gghsaADVISORY
www.openwall.com/lists/oss-security/2026/05/05/10nvd
nvd.nist.gov/vuln/detail/CVE-2026-42997ghsa
security.openstack.org/ossa/OSSA-2026-010.htmlnvd
www.openwall.com/lists/oss-security/2026/05/05/10nvd

News mentions

Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th)
SANS Internet Storm Center · May 5, 2026

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000