CVE-2026-50589

Vulnerability

In OpenStack Ironic versions 32 through 35.0.1, the method.body decorator in method.py parses the full JSON body before authentication checks are performed. This allows an unauthenticated user to submit a crafted JSON string to certain API or JSON-RPC service endpoints, potentially leading to a service crash [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted JSON string to an unauthenticated endpoint, such as /v1/continue_inspection. The attacker does not require any special privileges or user interaction. The primary mitigation in practice is the request body size limit enforced by reverse proxies like Apache or Nginx, which are commonly used in deployments [1].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition, causing the service to crash. While the theoretical impact is a service crash, the practical risk in real-world deployments is considered low due to infrastructure-level protections like request body size limits [1].

Mitigation

A fix is feasible by adding a content_length check before JSON parsing. The default limit of 10 MiB is considered generous for legitimate payloads. Specific patched versions and release dates are not yet disclosed in the available references, but the issue is confirmed and a fix is recommended [1].