CVE-2026-54421
Description
Ironic PATCH on volume targets returns unredacted sensitive properties (iSCSI credentials) to unauthorized users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ironic PATCH on volume targets returns unredacted sensitive properties (iSCSI credentials) to unauthorized users.
Vulnerability
In OpenStack Ironic through 35.0.1, the patch() method for volume targets (ironic/api/controllers/v1/volume_target.py) does not apply the baremetal:volume:view_target_properties policy check before returning the response [1]. While the get_one() and _get_volume_targets_collection() methods correctly redact sensitive fields such as iSCSI credentials via _redact_target_properties, both post() and patch() call convert_with_links() directly on the returned object without any redaction step [1]. This allows a user authorized for baremetal:volume:update (but lacking view_target_properties) to obtain unredacted volume target properties, including authentication credentials.
Exploitation
An authenticated project-scoped user who holds the baremetal:volume:update role issues a PATCH request to modify a volume target's fields. The attacker constructs a valid JSON PATCH body and sends it to the Ironic API. The API processes the update and returns the full volume target object in the 200 response body, including the properties field containing sensitive iSCSI connection details such as credentials [1]. No additional privileges or user interaction is required beyond having the baremetal:volume:update permission.
Impact
Successful exploitation results in the disclosure of sensitive information contained in the volume target's properties field, which may include iSCSI credentials (e.g., usernames and passwords or CHAP secrets) [1]. This credential disclosure could allow an attacker to authenticate to the underlying storage system, potentially compromising the confidentiality and integrity of the storage backend. The attacker does not gain code execution or elevated privileges within Ironic itself, but can leverage the leaked credentials to access storage resources directly.
Mitigation
A fix has been proposed in code review [1] (https://review.opendev.org/c/openstack/ironic/+/990430) and a related bug report has been filed [1]. As of the publication date (2026-06-14), no official patched release of Ironic is available. Operators should review the pending patch and apply it if possible, or restrict the baremetal:volume:update role to trusted users only until a fixed version is released [1]. The issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on Jun 14, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing RBAC policy check (`baremetal:volume:view_target_properties`) on the POST and PATCH write-response paths allows unredacted sensitive volume properties to be returned to unauthorized users."
Attack vector
A project-scoped user who holds `baremetal:volume:create` or `baremetal:volume:update` but not `baremetal:volume:view_target_properties` sends a POST or PATCH request to `/v1/volume/targets`. The API returns the full `properties` field—including iSCSI credentials—in the 201/200 response body without redaction [ref_id=1]. No additional steps or special network position are required beyond valid Keystone authentication and API access [ref_id=1].
Affected code
The `patch()` method at `ironic/api/controllers/v1/volume_target.py:404` and the `post()` method at `ironic/api/controllers/v1/volume_target.py:317` call `convert_with_links()` directly on the returned object without applying the `_redact_target_properties` redaction step. The `baremetal:volume:view_target_properties` policy check is enforced on the read paths (`get_one()` and `_get_volume_targets_collection()`) but is absent from these write-response paths [ref_id=1].
What the fix does
The proposed fix applies `_redact_target_properties` to the response body in `post()` and `patch()` so that sensitive fields in `properties` are masked before being returned to the caller [ref_id=1]. This mirrors the existing redaction logic already used on the read paths (`get_one()` and `_get_volume_targets_collection()`). The patch ensures that a user who can write a volume target cannot read back secrets (such as iSCSI credentials) that they are not authorized to view via the `baremetal:volume:view_target_properties` policy [ref_id=1].
Preconditions
- authThe attacker must have a valid Keystone token with `baremetal:volume:create` or `baremetal:volume:update` permission.
- authThe attacker must NOT have `baremetal:volume:view_target_properties` permission.
- configThe deployment must be configured with RBAC policies that separate write and view-properties permissions (e.g., multi-tenant deployments).
- networkThe attacker must be able to send HTTP POST or PATCH requests to the `/v1/volume/targets` API endpoint.
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.